Skip to the main content.
Talk to sales Start for free
Talk to sales Start for free

2 min read

Do you need patient consent to share PHI through Paubox Text Messaging?

Do you need patient consent to share PHI through Paubox Text Messaging?

When specific precautions are in place, HIPAA allows for electronic communications between patient and provider for reasons like treatment or billing. These precautions are met by making use of HIPAA compliant text messaging platforms like Paubox Text Messaging designed with compliance in mind. 

 

When do you need patient consent for text messaging? 

According to HIPAA, specifically 45 CFR § 164.502, “A covered entity or business associate may not use or disclose protected health information, except as permitted or required…Except for uses and disclosures prohibited under § 164.502(a)(5)(i), pursuant to and in compliance with a valid authorization under § 164.508…” This means that for text messaging, patient consent is needed when the communication falls outside of HIPAA’s permitted uses, like sharing PHI for reasons not directly related to the patient's diagnosis and treatment.  

 

When is consent required? 

  • When sending unencrypted text messages involving PHI. 
  • Consent is needed if the patient specifically requests unencrypted text messaging and the provider must warn them of the risks. 
  • When text messaging PHI to third parties not involved in the patient's treatment, payment, or healthcare operations. 
  • If the text messages are being used for marketing or fundraising purposes. 

When is it not required? 

  • It is not required when texting PHI using encrypted HIPAA compliant messaging systems. 
  • When messages are related to messages as long as they are part of standard care operations. 
  • When reminding patients of appointments or follow-ups provided the text is sent securely. 
  • If the patient initiates communication through texts. 
  • When text messaging is used for payment, or health operations allowed by HIPAA. 

How encrypted messaging platforms like Paubox eliminate the need for consent

The use of HIPAA compliant text messaging services like Paubox therefore fulfills HIPAA’s technical requirement for encryption and allows healthcare providers to securely communicate with patients without additional authorization. HHS guidance provides that, “...The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so.” 

HIPAA’s Security Rule established the safeguards that ensure the confidentiality and security of electronic communications. Encryption, a necessary safeguard, effectively protects PHI from unauthorized access. When text messaging platforms combine encryption with other measures like unique user identification and a signed business associate agreement that outlines the use of PHI, it eliminates the need for additional consent for communications that would not typically require it. 

 

Why consent is still the best practice

A valuable recommendation from the American Psychiatric Association guidance, applicable to the use of text messaging in all healthcare providers states “It is still best practice for physicians to obtain express written consent from their patient….” Even though encrypted messaging platforms like Paubox provide security, obtaining patient consent before text messaging remains a best practice because it promotes ethical communication between provider and patient. 

By seeking consent, providers can make sure that patients are completely aware of how their PHI is used and any risks involved (although encryption minimizes this risk significantly). The action of seeking consent also allows for the improvement of the patient provider relationship by allowing the patient to express their preference. This solidifies the patient's autonomy early in their health journey and provides a way to create open lines of communication. 

 

FAQs

What are the permitted uses of PHI? 

Uses of PHI including treatment, payment, healthcare operations, and disclosures required by law or public health activities. 

 

What are the prohibited uses of PHI? 

Disclosures not covered by HIPAA’s permitted uses like unauthorized marketing, or using PHI for personal gain.

 

What is encryption?

A security process that converts data into a coded format to prevent unauthorized access. 

 

Subscribe to Paubox Weekly

Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.