HIPAA Guidelines for Communicating with Patients


  • HIPAA guidelines apply when texting and emailing patients.
  • HIPAA violations lead to severe legal repercussions, including costly financial penalties.
  • Compliance safeguards your practice as well as your patients’ protected health information, building trust and loyalty while protecting practice revenue.
  • RevolutionEHR

The HIPAA guidelines that regulate use of patients’ protected health information (PHI) also govern text and email communications. As these methods of communication are convenient and popular with patients, optometrists need to be up to date on HIPAA regulations regarding text and email of PHI.

The Benefits of Communicating with Patients by Text and eMail

Simply put, texting and emailing are convenient for both optometrists and their patients. They are less time-consuming than phone calls and the telephone tag that often follows.

What’s more, increasing numbers of patients say they prefer digital communication. Respecting their preferences increases engagement and creates a positive patient experience.

However, as the use of texts and emails increases, so does the risk of exposing PHI to breaches. Because of this heightened risk, optometry practices are obligated to follow HIPAA guidelines for text and email communications.

Let’s take a look at HIPPA guidelines for patient communication and the implications of non-compliance.

HIPAA Guidelines for Texting Patients

Looking at phone

HIPAA allows you to text patients, as long as you follow their security requirements. HIPAA demands that when you use a system that transfers protected data, you must control who accesses that data. But when it comes to texts, you can’t prevent unauthorized persons from seeing your messages.

All a person needs to do is unlock the phone to read a private text. Because you can’t manage who can access the information you send, you must encrypt data and use a secure network to stop hackers from accessing PHI.

Other HIPAA safeguards for texting PHI are:

  • Practices have to implement policies so that texting and accessing sensitive health information is done while complying with HIPAA.
  • All authorized users must understand these policies and know that noncompliance has stiff consequences.
  • PHI access must be limited to authorized users who need the data to fulfill their duties.
  • Authorized users must verify their identities using a centrally issued, unique PIN and username.
  • Frequent risk assessments must be conducted to verify that those with authorization implement all practice policies and are HIPAA-compliant when text messaging PHI.
  • Systems used for texting maintain audit logs to enable administrators to monitor usage.

Fortunately, your practice can send text messages and avoid HIPAA violations by taking advantage of secure text messaging solutions from trusted providers. These solutions contain all vital controls, like end-to-end encryption to prevent unauthorized individuals from intercepting and viewing information.

Additionally, users have to log in to the system to use it and are automatically logged off after a period of inactivity. And in case a mobile device is stolen or lost, the platform can automatically erase all the messages.

HIPAA Guidelines for Emailing Patients

You can’t go wrong with email; most, if not all, of your patients are already using it. However, there are a number of strict HIPAA conditions you must meet before emailing protected medical information.

According to the HIPAA Privacy Rule, you can use email to communicate with patients and coworkers after implementing these safeguards:

  • Double-checking addresses for accuracy before sending
  • Requesting recipients to confirm email addresses prior to sending electronic protected health information (ePHI)
  • Restricting the information being disclosed
  • Encrypting ePHI before sending to ensure that PHI will be safe while in transit and while at rest

Under HIPAA, you can still send unencrypted PHI. But first, you must inform patients of the risks of unencrypted mail, like possible interception by a third party. Once a patient gives you explicit consent, you can go ahead and communicate by email.

To be on the safe side, keep evidence of the patient’s approval of this form of PHI sharing.

Internal vs. External Email Messages

If your email system is behind a secure firewall and uses a server on the network, mails become automatically compliant. However, once messages are sent outside of your practice and leave the firewall, they need to be protected.

The Cost of Noncompliance

The penalties for HIPAA violations are high and depend on the extent of the negligence. The minimum penalty for HIPAA noncompliance is $50,000 per violation, with a maximum fine of $1.5 million annually for violations of an identical provision.

Fines increase with severity from reasonable cause to willful neglect and the number of patients involved. It’s important to note that some violations carry criminal charges and can lead to jail time.

There are many ways HIPAA provisions can be breached. The most common include:

Unencrypted Patient Records

Per HIPAA, patient information and records must be stored securely, away from family members, unapproved employees, and other third parties. It’s essential to train your staff to ensure all digital records are properly encrypted as well as password protected.

Improper Destruction of PHI

Obsolete medical records should be permanently destroyed so that they don’t fall into unauthorized hands.

Not Properly Training Employees

Discussing or disclosing any kind of PHI on social media or in public can result in HIPAA violations. For this reason, all staff with access to PHI must be trained and receive “periodic” updates to make sure they are up to date and compliant with HIPAA regulations.

According to the HIPAA Journal, “periodic” is widely interpreted to mean annually.

RevolutionEHR Simplifies HIPAA Compliance

medical doctor at a desk

Patients love communicating via text and email. Talking to them using the channels they prefer delivers enhanced patient experiences, which leads to greater patient satisfaction and retention rates.

To make it easier to give your patients what they want, two communication tools that work seamlessly from within RevolutionEHR allow you to do just that while saving time and ensuring that your practice remains HIPAA compliant.


RevDirect is a messaging service that allows users to exchange PHI with other healthcare professionals from within RevolutionEHR. RevDirect is HIPAA compliant, so your practice providers and staff will be assured that PHI in external messaging meets HIPAA security guidelines.

With RevDirect, your practice can:

  • Exchange protected health information securely and seamlessly from within RevolutionEHR
  • Save time by streamlining external communications
  • Never need to search for misfiled records sent by fax or email
  • Eliminate the expenses of printing, faxing, and mailing


RevConnect is a set of patient communication tools that simplifies the sharing and tracking of messages to patients using powerful email and text features.

With RevConnect, you can:

  • Automate appointment and recall reminders to dramatically reduce no-shows
  • Send recare notices to increase patient retention
  • Create email campaigns and track performance
  • Create and send optical order status updates
  • Send automated birthday messages

Stay HIPAA Compliant with RevolutionEHR

RevolutionEHR is a comprehensive EHR-centered practice management solution with HIPAA-compliant external communication software and powerful patient communication tools. And they work seamlessly from within RevolutionEHR.

Take control of your PHI with RevolutionEHR — to protect your patients and your practice. To learn more, request a demo today.


We love sharing tips and tricks from our experts. Get our latest articles straight to your inbox.