HIPAA Guidelines for Patient Communication: Text, Email & Security

- Remove the current class from the content27_link item as Webflows native current state will automatically be applied.
- To add interactions which automatically expand and collapse sections in the table of contents select the content27_h-trigger element, add an element trigger and select Mouse click (tap)
- For the 1st click select the custom animation Content 27 table of contents [Expand] and for the 2nd click select the custom animation Content 27 table of contents [Collapse].
- In the Trigger Settings, deselect all checkboxes other than Desktop and above. This disables the interaction on tablet and below to prevent bugs when scrolling.
Imagine sending a patient a text about their upcoming eye exam, but they’re at work and haven’t had a chance to read it. Later, they open their messages, but someone else has already seen the reminder—a well-meaning family member who glanced at the phone.
A message intended only for the patient has been inadvertently shared, sparking concerns over patient privacy—and a possible costly HIPAA violation for you.
Technology makes it easy and convenient to get in touch with your optometry patients, and good communication supports better patient engagement. However, you must be mindful of the safeguards and regulations that protect patient privacy.

HIPAA Overview
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) protects patient health information and regulates all forms of patient communications. This includes texts, emails and emerging technologies such as patient portals, secure messaging apps, and telehealth platforms.
As in most industries, healthcare communication is increasingly digital. Simply put, texting and emailing are convenient for both optometrists and their patients. They are less time-consuming than phone calls and the telephone tag that often follows.
However, as the use of texts and emails increases, so does the risk of exposing protected health information (PHI) to breaches. Because of this heightened risk, optometry practices are obligated to follow HIPAA guidelines for patient communication via text and email as well as patient portals that allow patients to access medical information at will.
Security Requirements and Implementation
Let's examine the fundamental security standards that form the basis of all HIPAA-compliant communication.
Core Security Standards
Healthcare providers must implement comprehensive security measures to protect patient information across all communication channels. These fundamental requirements form the foundation of HIPAA compliance:
- All PHI must be encrypted during transmission.
- Patient consent is required before sending any PHI electronically.
- Documentation of consent and communications must be maintained.
- Risk assessments must be conducted regularly to identify vulnerabilities.
- All staff must be trained on security policies and compliance requirements.
When implementing these requirements, providers must adapt them to different communication channels, each with its own unique challenges and considerations.
HIPAA Guidelines for Text Messaging
Americans send and receive over 2 trillion texts every year, and 97 percent own a cell phone. Having this kind of access to your patients means you can get in touch with almost anyone in an instant—for better or for worse.
You can’t control who unlocks a phone and reads a private text message, so HIPAA requires that you take extra steps to maintain patient data security.
According to The HIPAA Journal, texting can be compliant, provided you encrypt the data and use a secure network to prevent data breaches.
Other HIPAA safeguards for texting PHI include:
- Patients must have provided consent to be contacted by SMS text.
- Practices must implement policies surrounding texting and accessing sensitive health information.
- Messages must comply with the minimum necessary standard.
- Only authorized users may handle PHI.
- Practices must conduct frequent risk assessments to verify HIPAA text messaging remains compliant.
- All authorized users must understand these policies and know that noncompliance has consequences.
HIPAA Guidelines for Email
92 percent of Americans communicate via email, and it’s a great way to share key information that patients can access over and over again. Like texting, HIPAA compliant email guidelines are strict and you must follow certain safeguards:
- Staff must verify the recipient's email address twice before sending any PHI.
- Healthcare providers must encrypt all electronic protected health information before transmission.
- Providers must obtain and maintain documented consent from patients before initiating email communication.
- The practice's email system must operate behind a secure firewall.
- Any communications that leave the practice's secure network require additional security measures to maintain HIPAA compliance.
HIPAA Guidelines for Patient Portals
Modern healthcare practices increasingly rely on patient portals as secure gateways for health information exchange. These web-based platforms serve as digital hubs where patients can safely access their medical records, view test results, schedule appointments, and communicate with their healthcare providers.
To maintain HIPAA compliance, patient portals must incorporate multiple layers of security safeguards. These technical and administrative controls protect sensitive patient information while ensuring authorized access.
Key security requirements include:
- All patient data must be encrypted during transmission to prevent unauthorized interception.
- The portal must implement secure authentication methods to verify the identity of users accessing the system.
- The system must maintain detailed audit trails that record all access to patient information.
- Healthcare organizations must implement role-based access controls that limit staff access based on job functions.
- The portal must include automatic timeout features that log users out after periods of inactivity.
When properly implemented, secure patient portals become a powerful tool for both practices and patients—boosting trust, streamlining care delivery, and maintaining HIPAA compliance while meeting patients' growing expectations for digital access to their healthcare information.
HIPAA Risk Assessment & Management
As convenient as it may be, sending your patient a text or email is not without risks. Sending healthcare communications without following medical records security standards is dangerous.
HIPAA mandates that healthcare providers—including optometrists—conduct regular risk assessments to identify vulnerabilities in their communication channels to lower the odds of a data breach or non-compliance.
With these fundamental security requirements in mind, let's examine how HIPAA compliance applies to specific communication channels used in optometry practices.

HIPAA Violations
While these communication tools offer valuable ways to connect with patients, understanding common HIPAA violations is crucial for avoiding costly mistakes and protecting patient privacy.
HIPAA is constantly changing, and there have been significant updates in 2024. Major proposed changes include greater freedom for patients to inspect and access their own PHI, so optometrists must keep security a priority to avoid violations and penalties.
The penalties for HIPAA violations are high and depend on the extent of the negligence. The minimum penalty for HIPAA noncompliance is $50,000 per violation, with a maximum fine of $1.5 million annually for violations of an identical provision.

Fines increase with severity—from reasonable cause to willful neglect—and the number of patients involved. It’s important to note that some violations carry criminal charges and can lead to jail time.
Common HIPAA Violations
There are many ways HIPAA provisions can be breached. Here are the most common.
Unencrypted Patient Records
Per HIPAA, you must store patient information and records securely, ensure they’re properly encrypted, and password protect them.
Improper Destruction of PHI
Obsolete medical records should be permanently destroyed so that they don’t fall into unauthorized hands.
Not Properly Training Employees
All practices are required to train employees on HIPAA compliance, including regarding texting and emailing PHI.
Unencrypted Data Transmission
Sending patient information via unencrypted email, messages, or storage devices poses a high risk for data breaches.
Lost or Stolen Devices
Mobile devices or laptops containing patient information that are lost or stolen present a high risk of a HIPAA violation.
Lack of HIPAA-Compliant Text Messaging Solutions
When healthcare providers communicate with patients with standard SMS or third-party messaging apps that are not HIPAA-compliant, they risk interception and unauthorized dissemination of patient data. Non-compliant methods lack essential encryption and access control features.
Avoiding HIPAA Violations in Patient Emails
One common mistake is including too much personal health information in the subject line or in the body of an email without proper encryption. Failing to confirm the recipient’s identity or sending it to the wrong recipient can also result in a violation.
Failure to Obtain Patient Consent
Sometimes, healthcare providers may share patient information for reasons like referrals without obtaining patient consent.
Inadequate Incident Response
Failing to report a data breach within 60 days can lead to penalties under HIPAA’s Breach Notification Rule.
HIPAA Violation Penalties
Without the proper safeguards in place, you put your practice at risk of serious HIPAA violations. These infractions can be costly—both in fines and in damage to your reputation.

Recent HIPAA Violation Examples
These potential violations aren't just theoretical concerns. Data breaches are on the rise, and millions of Americans have had their PHI exposed due to HIPAA data violations.
Recent cases demonstrate the real-world consequences of HIPAA non-compliance. Here are some major violations that occurred in 2024.
Case Study 1: Lafourche Medical Group Case ($480,000 Fine)
A phishing attack on Lafourche Medical Group exposed the PHI of 34,862 patients. The Office for Civil Rights (OCR) investigation revealed inadequate risk assessments and lack of policies to monitor system activity.
Resolution: Lafourche settled the case with a $480,000 fine and entered into a corrective action plan that included a thorough risk assessment, ongoing training and system monitoring enhancements.
Case Study 2: Green Ridge Behavioral Health ($40,000 Fine)
Following a ransomware attack that exposed the PHI of 14,000 patients, Green Ridge Behavioral Health faced a $40,000 fine. The OCR investigation revealed several compliance failures, including the failure to conduct a proper risk analysis, not reducing risks to ePHI and a lack of policies for monitoring system activity.
This organization had no security risk analysis prior to the attack and inadequate procedures for reviewing system activity logs.
Resolution: Green Ridge Behavioral Health paid a $40,000 penalty and committed to a corrective action plan that included security risk analysis, implementation of policies to reduce risks to ePHI and improved system activity monitoring procedures to prevent future violations.
Major Unresolved HIPAA Breaches
- Change Healthcare breach. This breach is considered the largest healthcare data breach in history. A cyberattack compromised PHI of about 100 million individuals, exposing a massive amount of sensitive patient data.
- Kaiser Foundation Health Plan breach. Website trackers leaked PHI and internet traffic for around 13.4 million individuals. This data was disclosed to third parties and even social media.
Hundreds more cases are currently under investigation by the Department of Health and Human Services Office of Civil Rights. These cases underscore the critical need for robust risk management, access controls, and consistent staff training to avoid costly penalties and safeguard patient trust.
Despite these cautionary tales, maintaining HIPAA compliance while communicating effectively with patients is achievable with the right tools and practices.
See the FAQ below for answers to your frequently asked questions about HIPAA patient communication guidelines.
Solutions and Best Practices
Patients love communicating via text and email; in one survey, 80% of respondents said they prefer digital communication like texts and emails, meaning they’re more likely to engage with your services and have a positive experience.
However, the penalties can be great for getting it wrong. One solution is to use EHR and practice management software, like RevolutionEHR, that includes the HIPAA security features you need to protect your practice.
RevolutionEHR: Secure Healthcare Communication Solutions
To make it easier to give your patients what they want, two communication tools work seamlessly from within RevolutionEHR to allow you to do just that—while saving time and ensuring that your practice remains HIPAA compliant.
RevDirect
RevDirect is a messaging service that allows users to exchange PHI with other healthcare professionals from within RevolutionEHR. RevDirect is HIPAA-compliant, so your practice providers and staff will be assured that PHI in external messaging meets HIPAA security guidelines.
With RevDirect, your practice can:
- Exchange protected health information securely and seamlessly from within RevolutionEHR
- Save time by streamlining external communications
- Never need to search for misfiled records sent by fax or email
- Eliminate the expenses of printing, faxing and mailing
RevConnect
RevConnect is a set of patient communication tools that simplifies the sharing and tracking of messages to patients using powerful email and text features.
With RevConnect, you can:
- Automate appointment and recall reminders to dramatically reduce no-shows.
- Send recall notices to increase patient retention.
- Create email campaigns and track performance.
- Create and send optical order status updates.
- Send automated birthday messages.
Through RevDirect and RevConnect, RevolutionEHR provides the comprehensive, secure communication tools your practice needs to maintain HIPAA compliance while delivering the convenient digital experience your patients expect.
Take control of your PHI with RevolutionEHR—to protect your patients and your practice. To learn more, request a demo today.
Frequently Asked Questions About HIPAA Communication
How do HIPAA violations impact optometry practices and patients?
HIPAA violations in optometry practices can result in severe legal and financial penalties that lead to lasting reputation damage. For patients, breaches and violations can expose their sensitive health information, erode trust, and even lead to identity theft.
Can optometrists use text and email for patient communication?
Yes, optometrists can use text and email to contact patients, provided they adhere to secure email practices for patient communication and follow HIPAA guidelines. This can include end-to-end encryption, two-factor authentication (2FA) and a secure messaging system integrated into your practice management software.
What safeguards are required when texting PHI?
HIPAA-compliant messaging platforms must include strong access controls and audit trails. Additionally, verifying the recipient’s identity and adhering to the minimum necessary rule are essential measures for protecting PHI.
The minimum necessary rule stipulates that healthcare providers and organizations must only access, use, or disclose the minimum amount of PHI necessary to accomplish the intended purpose.
Are there specific rules for emailing patient information?
While HIPAA doesn’t explicitly prohibit email communication for PHI, it mandates implementing access controls, audit trails, integrity controls, ID authentication, and transmission security mechanisms. Encryption is highly recommended, especially for emails sent outside a protected internal network.
How can practices ensure HIPAA compliance with email?
To ensure HIPAA compliance with email, optometry practices should use HIPAA-compliant email providers that offer end-to-end encryption and strong access controls.
Adhering to guidelines for protecting patient data in optometry communications is crucial. These guidelines include audit trails, patient identity authentication, and ongoing monitoring to protect against unauthorized access to PHI.
What penalties are associated with HIPAA violations?
Penalties for HIPAA violations are multi-tiered and can be severe. Civil penalties, overseen by HHS' Office for Civil Rights, start at $137 per violation as of November 2024, and can escalate to $2,067,813 for willful neglect. State Attorneys General and the Federal Trade Commission can also impose fines.
Criminal penalties can result in fines ranging from $50,000 to $250,000 and up to 10 years in jail, depending on the severity and intent of the violation. Restitution to victims and additional penalties for identity theft may also apply.
What are some common HIPAA breaches in optometry?
Common HIPAA breaches in optometry include unauthorized access to patient records by staff or external hackers. Accidental sharing of PHI through unsecured emails or messaging apps is another issue.
Failure to properly dispose of paper records or outdated prescription data can also lead to breaches. Theft or loss of devices containing PHI, like laptops or smartphones, can compromise patient confidentiality.