HIPAA-Compliant Patient Communication: What You Can Say, What to Avoid

Understanding Protected Health Information

What counts as PHI

Protected Health Information (PHI) is any individually identifiable health information—spoken, written, or electronic—that relates to a person’s health status, care, or payment and can be tied to an identifier. Common identifiers include name, full address, phone or email, date of birth, medical record numbers, account numbers, device IDs, biometric identifiers, and full-face photos.

What you can say

• General, non-identifiable information (for example, clinic hours or instructions to use the patient portal).
• Appointment logistics that avoid diagnosis details (e.g., “Your visit is on Tuesday at 10 a.m.”).
• De-identified data that meets HIPAA Compliance Standards (safe harbor or expert determination).

What to avoid

• Discussing diagnoses, lab values, prescriptions, or account balances over non-secure channels.
• Revealing PHI in public spaces, on social media, or in subject lines of emails or voicemails.
• Sharing information with family or friends unless the patient has authorized it.

Apply the minimum necessary standard

Disclose only the minimum information needed for the task. For treatment, payment, and operations you may use PHI without additional authorization, but still limit details and document your rationale when possible.

Using Secure Communication Methods

Recommended channels

• Secure Patient Messaging within a patient portal for results, care plans, and questions.
• Enterprise-grade encrypted email and secure texting platforms designed for healthcare.
• Telehealth systems that integrate identity checks, access controls, and audit logs.

Technical safeguards

• Use strong Encryption Protocols in transit and at rest, enforce multifactor authentication, and enable device encryption with remote wipe.
• Apply role-based access, automatic timeouts, and centralized logging to track message access and modifications.
• Execute Business Associate Agreements with vendors that handle PHI and verify their security controls.

Administrative safeguards

• Define which topics must always go through secure channels (e.g., results, imaging, diagnosis changes).
• Publish a communication matrix that maps message type to channel and retention requirements.
• Include Risk Assessment Training so staff recognize phishing, spoofing, and social engineering.

Obtaining Patient Consent

When consent is required

Routine care may rely on implied consent, but you need explicit authorization for disclosures beyond treatment, payment, and operations, and for non-secure email or SMS when a patient insists on using them despite risks.

Patient Consent Documentation essentials

• Document the patient’s preferred channels, scope of communication, risks discussed, and any restrictions.
• Record the date/time, who provided consent, the staff member obtaining it, and expiration or revocation terms.
• Store authorizations in the EHR and surface them at the point of communication to prevent errors.

Special scenarios

• Proxies and caregivers: verify authority and keep documentation on file before discussing PHI.
• Minors: follow custody and state-specific rules; capture authorizations accordingly.
• Revocation: honor changes immediately and update your communication matrix and alerts.

Implementing Email and Text Guidelines

Email best practices

• Do not include PHI in subject lines or headers; keep subjects generic (e.g., “Message from your care team”).
• Confirm addresses before sending; disable auto-complete for external emails when possible.
• Send PHI through encrypted email or, preferably, via the patient portal with a notification email that contains no PHI.
• Protect attachments with Encryption Protocols; avoid PDFs or images containing visible identifiers unless sent securely.

Text/SMS best practices

• Use SMS for non-PHI only: reminders, scheduling prompts, or “Please check your portal.”
• Offer opt-in/opt-out and verify mobile numbers during registration and at each visit.
• For staff-to-staff messages, use secure texting that supports access controls and audit trails—not consumer apps.

Language to use and avoid

• Use: “You have a new message in your portal.”
• Avoid: diagnosis names, lab values, imaging results, or medication lists in unencrypted channels.

Verifying Patient Identity

Identity Verification Procedures

• In person: request a government photo ID plus a second identifier (e.g., full name and date of birth).
• By phone: confirm at least two identifiers and, for sensitive inquiries, call back using the number on file.
• Portal/telehealth: require multifactor authentication and confirm identity at the session start (e.g., show ID on camera).
• Proxies: validate legal authority (e.g., documented permission, POA) before disclosing PHI.

Red flags and responses

• Mismatched details, urgency to bypass checks, or technology issues during verification—pause, re-verify, or escalate.
• Log verification steps; failed attempts should trigger alerts and, if needed, account security resets.

Managing Physical Records

Paper and printed PHI

• Store charts in locked areas; track check-outs; never leave PHI on printers, copiers, or open desks.
• Use cover sheets for faxes and confirm recipient numbers before sending.
• Dispose of PHI using cross-cut shredding or certified destruction; document destruction events.

Public spaces and conversations

• Avoid speaking about conditions or results in waiting areas; move to private spaces when possible.
• Use patient first names only when calling from a lobby and never mention reason for visit aloud.
• Keep whiteboards or signage free of full names, diagnoses, or room numbers visible to the public.

Enforcing Internal Communication Policies

Build a policy framework

• Map procedures to HIPAA Compliance Standards across administrative, physical, and technical safeguards.
• Define acceptable channels, message retention, escalation paths, and sanctions for non-compliance.
• Address Bring Your Own Device with mobile device management, containerization, and remote wipe.

Training, auditing, and improvement

• Deliver role-based onboarding plus ongoing Risk Assessment Training with real-world scenarios.
• Monitor with periodic audits of messages, access logs, and misdirected communications; remediate promptly.
• Track metrics such as training completion, portal adoption, message turnaround, and incident rates.

Incident response

• Standardize steps for containment, forensic review, patient notification, and corrective action.
• Run tabletop exercises so staff can practice decisions under pressure and refine playbooks.

Conclusion

When you align daily workflows to HIPAA Compliance Standards—protecting PHI, verifying identities, using secure channels, and documenting consent—you reduce risk and earn patient trust. Clear policies, practical tools, and continuous training make HIPAA-compliant patient communication both safe and efficient.

FAQs

What constitutes Protected Health Information under HIPAA?

PHI is any health-related information that can identify a person and concerns their health status, the care they receive, or payment for that care. It includes data tied to identifiers such as names, addresses, dates of birth, medical record numbers, contact details, account numbers, device and biometric identifiers, and full-face photos. De-identified data—where specific identifiers are removed or an expert determines re-identification risk is very small—is not PHI.

How can healthcare providers verify patient identity securely?

Use layered checks: photo ID plus a second identifier in person; two or more identifiers and call-backs for phone requests; multifactor authentication and on-camera ID checks for telehealth; and documented authority for proxies. Log each verification step and require stronger proof for sensitive disclosures or unusual requests.

What are the risks of non-secure communication methods?

Plain email or SMS can be intercepted, misdelivered, or accessed on lost or shared devices. Messages may persist on third-party servers without your control, and metadata (subject lines, headers) can reveal more than intended. Using Secure Patient Messaging, encryption, access controls, and identity verification greatly reduces these risks.

How often should HIPAA training be conducted for staff?

Provide role-based training at hire, then refresh at least annually and whenever policies, systems, or job duties change. Add targeted sessions after incidents and include Risk Assessment Training that covers phishing, social engineering, and real communication scenarios.