HIPAA Guidelines for Communicating with Patients


  • HIPAA guidelines for patient communication apply when texting and emailing patients.
  • HIPAA violations lead to severe legal repercussions, including costly financial penalties.
  • Compliance safeguards your practice as well as your patients’ protected health information, building trust and loyalty while protecting practice revenue.
  • Be sure your practice management software features secure integrated patient messaging functions to ensure HIPAA compliance.

The HIPAA guidelines that regulate use of patients’ protected health information (PHI) also govern text and email communications. As these methods of communication are convenient and popular with patients, optometrists need to be up to date on HIPAA guidelines for patient communication regarding text and email of PHI.

The Benefits of Communicating with Patients by Text and eMail

Simply put, texting and emailing are convenient for both optometrists and their patients. They are less time-consuming than phone calls and the telephone tag that often follows.

What’s more, 80% of patients say they prefer digital communication to communicate with their healthcare providers. Respecting their preferences increases engagement and creates a positive patient experience.

However, as the use of texts and emails increases, so does the risk of exposing PHI to breaches. Because of this heightened risk, optometry practices are obligated to follow HIPAA guidelines for patient communication via text and email.

Let’s take a look at HIPPA guidelines for patient communication and the implications of non-compliance.

Looking at phone

HIPAA Guidelines for Texting Patients

HIPAA allows you to text patients, as long as you follow their security requirements. HIPAA demands that when you use a system that transfers protected data, you must control who accesses that data. But when it comes to texts, you can’t prevent unauthorized persons from seeing your messages.

All a person needs to do is unlock the phone to read a private text. Because you can’t manage who can access the information you send, you must encrypt data and use a secure network to stop hackers from accessing PHI.

Other HIPAA safeguards for texting PHI are:

  • Practices have to implement policies so that texting and accessing sensitive health information is done while complying with HIPAA.
  • All authorized users must understand these policies and know that noncompliance has stiff consequences.
  • PHI access must be limited to authorized users who need the data to fulfill their duties.
  • Authorized users must verify their identities using a centrally issued, unique PIN and username.
  • Frequent risk assessments must be conducted to verify that those with authorization implement all practice policies and are HIPAA-compliant when text messaging PHI.
  • Systems used for texting maintain audit logs to enable administrators to monitor usage.

Fortunately, your practice can send text messages and avoid HIPAA violations by taking advantage of secure text messaging solutions from trusted providers. These solutions contain all vital controls, like end-to-end encryption to prevent unauthorized individuals from intercepting and viewing information.

Additionally, users have to log in to the system to use it and are automatically logged off after a period of inactivity. And in case a mobile device is stolen or lost, the platform can automatically erase all the messages.

HIPAA Guidelines for Emailing Patients

You can’t go wrong with email; most, if not all, of your patients are already using it. However, there are a number of strict HIPAA conditions you must meet before emailing protected medical information.

According to the HIPAA Privacy Rule, you can use email to communicate with patients and coworkers after implementing these safeguards:

  • Double-checking addresses for accuracy before sending
  • Requesting recipients to confirm email addresses prior to sending electronic protected health information (ePHI)
  • Restricting the information being disclosed
  • Encrypting ePHI before sending to ensure that PHI will be safe while in transit and while at rest

Under HIPAA, you can still send unencrypted PHI. But first, you must inform patients of the risks of unencrypted mail, like possible interception by a third party. Once a patient gives you explicit consent, you can go ahead and communicate by email.

To be on the safe side, keep evidence of the patient’s approval of this form of PHI sharing.

Internal vs. External Email Messages

If your email system is behind a secure firewall and uses a server on the network, mails become automatically compliant. However, once messages are sent outside of your practice and leave the firewall, they need to be protected.

The Cost of Noncompliance

The penalties for HIPAA violations are high and depend on the extent of the negligence. The minimum penalty for HIPAA noncompliance is $50,000 per violation, with a maximum fine of $1.5 million annually for violations of an identical provision.

cost of noncompliance by tier

*Table last updated in March 2022. The cost-of-living adjustment multiplier for 2023 is 1.07745, but this has not officially been applied by the HHS. The table above will be updated when the new penalty amounts for 2023 are finalized by the HHS.


Fines increase with severity from reasonable cause to willful neglect and the number of patients involved. It’s important to note that some violations carry criminal charges and can lead to jail time.

There are many ways HIPAA provisions can be breached. Here are the most common.

Unencrypted Patient Records

Per HIPAA, patient information and records must be stored securely, away from family members, unapproved employees, and other third parties. It’s essential to train your staff to ensure all digital records are properly encrypted as well as password protected.

Improper Destruction of PHI

Obsolete medical records should be permanently destroyed so that they don’t fall into unauthorized hands.

Not Properly Training Employees

Discussing or disclosing any kind of PHI on social media or in public can result in HIPAA violations. For this reason, all staff with access to PHI must be trained and receive “periodic” updates to make sure they are up to date and compliant with HIPAA regulations. According to the HIPAA Journal, “periodic” is widely interpreted to mean annually.

Unencrypted Data Transmission

Sending patient information via unencrypted email, messages, or storage devices poses a high risk for data breaches. HIPAA requires that all electronic Personal Health Information (ePHI) be encrypted during transmission.

Lost or Stolen Devices

Mobile devices or laptops containing patient information that are lost or stolen present a high risk of a HIPAA violation. Proper security measures, including encryption and remote wiping capabilities, must be in place to protect this data.

medical doctor at a desk

Lack of HIPAA-Compliant Text Messaging Solutions

When healthcare providers use standard SMS or third-party messaging apps that are not HIPAA compliant to communicate patient information, they risk interception and unauthorized dissemination of patient data. These non-compliant methods lack essential encryption and access control features.

Avoiding HIPAA Violations in Patient Emails

One common mistake is including too much personal health information in the subject line or in the body of an email without proper encryption. Failing to confirm the recipient’s identity or sending it to the wrong recipient can also result in a HIPAA violation.

Failure to Obtain Patient Consent

Sometimes, healthcare providers may share patient information for reasons like referrals without obtaining patient consent.

Inadequate Incident Response

Failing to report a data breach within 60 days can lead to penalties under HIPAA’s Breach Notification Rule.

Over the last 15 years, between 2008 and 2023, the number of HIPAA violations has steadily increased, with some of the biggest breaches costing companies millions of dollars in penalties.

ocr penalities for hipaa violations 2008 - 7-2023


The following case studies highlight some major violations that occurred in 2023:

Case Study 1: L.A. Care Health Plan

L.A. Care Health Plan, the largest publicly operated health plan in the U.S., settled multiple HIPAA violations for $1.3 million. The settlement followed two investigations by the HHS’ Office for Civil Rights (OCR), one from a media report about unauthorized disclosures via its member portal and another related to a mailing error affecting 1,498 members.

OCR found six types of HIPAA violations, including insufficient security measures and failure to conduct risk analysis. L.A. Care agreed to adopt a corrective action plan to address these issues without admitting liability.

Case Study 2: MedEvolve, Inc.

The HHS’ OCR settled with Arkansas-based MedEvolve, Inc. for $350,000 after the company exposed the electronic protected health information (ePHI) of over 230,000 individuals due to an unsecured FTP server. The breach affected two entities and disclosed names, addresses, and Social Security numbers.

OCR identified three HIPAA violations, including improper ePHI disclosure and insufficient risk assessment. MedEvolve agreed to the penalty and a corrective action plan without admitting liability, emphasizing risk assessments and improved training.

RevolutionEHR Simplifies HIPAA Compliance

Patients love communicating via text and email. Talking to them using the channels they prefer delivers enhanced patient experiences, which leads to greater patient satisfaction and retention rates.

To make it easier to give your patients what they want, two communication tools that work seamlessly from within RevolutionEHR allow you to do just that while saving time and ensuring that your practice remains HIPAA compliant.


RevDirect is a messaging service that allows users to exchange PHI with other healthcare professionals from within RevolutionEHR. RevDirect is HIPAA compliant, so your practice providers and staff will be assured that PHI in external messaging meets HIPAA security guidelines.

With RevDirect, your practice can:

  • Exchange protected health information securely and seamlessly from within RevolutionEHR
  • Save time by streamlining external communications
  • Never need to search for misfiled records sent by fax or email
  • Eliminate the expenses of printing, faxing, and mailing


RevConnect is a set of patient communication tools that simplifies the sharing and tracking of messages to patients using powerful email and text features.

With RevConnect, you can:

  • Automate appointment and recall reminders to dramatically reduce no-shows
  • Send recare notices to increase patient retention
  • Create email campaigns and track performance
  • Create and send optical order status updates
  • Send automated birthday messages

Stay HIPAA Compliant with RevolutionEHR

RevolutionEHR is a comprehensive EHR-centered practice management solution with HIPAA-compliant external communication software and powerful patient communication tools. And they work seamlessly from within RevolutionEHR.

Take control of your PHI with RevolutionEHR — to protect your patients and your practice. To learn more, request a demo today.

Frequently Asked Questions

How do HIPAA violations impact optometry practices and patients?

HIPAA violations in optometry practices can result in severe financial penalties and potential legal ramifications for the practice. For patients, breaches compromise the confidentiality of their visual health data, which can lead to identity theft or unauthorized disclosure of sensitive information. The trust between patient and provider may also be irreparably damaged.

Can optometrists use text and email for patient communication?

Yes, optometrists can use text and email to contact patients, provided they adhere to secure email practices for patient communication and follow HIPAA guidelines. This can include end-to-end encryption, two-factor authentication (2FA), and a secure messaging system integrated into your practice management software.

What safeguards are required when texting PHI?

When sending PHI via text, following best practices for HIPAA compliance in texting is crucial. These safeguards include HIPAA-compliant messaging platforms offering strong access controls and audit trails. Additionally, verifying the recipient’s identity and adhering to the minimum necessary rule are essential measures for protecting PHI.

The minimum necessary rule stipulates that healthcare providers and organizations must only access, use, or disclose the minimum amount of PHI necessary to accomplish the intended purpose.

What are the implications of non-compliance with HIPAA?

Non-compliance with HIPAA can result in severe consequences, including hefty financial penalties, legal action, and reputational damage for healthcare providers. Patients may also suffer from unauthorized access to or disclosure of their sensitive health information, potentially leading to identity theft or other forms of harm.

Are there specific rules for emailing patient information?

While HIPAA doesn’t explicitly prohibit email communication for PHI, it mandates several safeguards. These include implementing access controls, audit trails, integrity controls, ID authentication, and transmission security mechanisms.

Encryption is highly recommended, especially for emails sent outside a protected internal network. The aim is to restrict unauthorized access to PHI, monitor how it’s communicated, and maintain its integrity.

How can practices ensure HIPAA compliance with email?

To ensure HIPAA compliance with email, optometry practices should use HIPAA-compliant email providers that offer end-to-end encryption and strong access controls.

Adhering to guidelines for protecting patient data in optometry communications is crucial. These guidelines include audit trails, patient identity authentication, and ongoing monitoring to protect against unauthorized access to PHI.

What penalties are associated with HIPAA violations?

Penalties for HIPAA violations are multi-tiered and can be severe. Civil penalties, overseen by HHS’ Office for Civil Rights, start at $127 per violation as of January 2023 and can escalate to $1,919,173 for willful neglect. State Attorneys General and the Federal Trade Commission can also impose fines.

Criminal penalties can result in fines ranging from $50,000 to $250,000 and may include jail terms from 1 to 10 years, depending on the severity and intent of the violation. Restitution to victims and additional penalties for identity theft may also apply.

What are some common HIPAA breaches in optometry?

Common HIPAA breaches in optometry include unauthorized access to patient records by staff or external hackers. Accidental sharing of PHI through unsecured emails or messaging apps is another issue.

Failure to properly dispose of paper records or outdated prescription data can also lead to breaches. Theft or loss of devices containing PHI, like laptops or smartphones, can compromise patient confidentiality.

Protect Your Patients’ Privacy With RevolutionEHR

Protecting your patients’ privacy is a legal obligation and crucial for maintaining trust. Implementing a powerful practice management system like RevolutionEHR can simplify HIPAA compliance for your optometry practice.

With secure data storage, encrypted communications, and streamlined audit controls, RevolutionEHR mitigates risks and ensures the integrity of patient data.

See why RevolutionEHR gives you the freedom to focus on providing exceptional eye care. Make the switch today and prioritize your patients’ privacy.

a new vision for your optometry practice