Breaking Compliance News Blog

Guest HIPAA Blog: Communicating With Your Patients

Posted by Margaret Scavotto, JD, CHC on 7/11/17 11:34 AM

Find me on:

Today's HIPAA blog comes from guest blogger Maggie Hales.

Maggie Hales is a lawyer and CEO of ET&C Group LLC which helps untangle the laws of HIPAA for the healthcare industry. She graduated from Webster University with Honors, and St. Louis University School of Law.

Communicating With Your Patients

maggie blog quote.jpg


Health care providers who accept Medicare are adapting to new rules under the Medicare Access and CHIP Reauthorization Act or MACRA.[1] The law is dense and complicated, but essentially, its purpose is to adjust payment measures to reward the delivery of high-quality patient care. The Merit-based Incentive Payment System (MIPS) is a core element of the change from prior rules. The relevance to HIPAA is that a central element of MACRA is an increased focus on patient engagement because when patients are engaged in their own healthcare, outcomes improve.

Effective patient engagement requires regular patient communications. The problem is that communications raise the risk of disclosure of protected health information (PHI). And today, with the use of email and text messaging, the risk is even greater. Ninety-nine percent of patients today use social media and most prefer regular, unencrypted email and texting. Unfortunately, they may not have considered the consequences.

Using unencrypted emails and text messages is like handing a postcard to someone in L.A. who will hand it off to a million people as it travels to N.Y., and each of those million can read it anywhere along the line.


HIPAA provides a 3-step safeguard that helps both providers and patients -  providers will stay in compliance and patients are engaged in maintaining privacy of their own PHI. 

Simply stated, it includes:

  1. Notice - a duty to warn;

  2. Let the patient decide; and

  3. Document the warning and response in writing.

If a patient says “no” to unencrypted communication, take steps to encrypt and inform your workforce and business associates, and document these steps. A common misunderstanding is that if a patient initiates communication through email, the provider can assume the patient accepts this method. Although this was the HHS policy in 2008, it changed in 2016 when the duty to warn became law. 

Read more about encryption options, as well as more of Maggie's blog posts, here.

Topics: HIPAA

    Privacy Policy           Terms of Use