Is Your Patient Communication HIPAA Compliant?


I participated in a webinar hosted by Trizetto How to Keep Your Patient Communication Secure and Compliant in 2018, which was presented by Jim Johnson, President and Founder at Live Compliance.

I webinar was superbly done. Jim Johnson was knowledgeable, while presenting the information in a way that made it clear and very understandable.

It is a complicated topic, and it is not always easy to understand how to communicate securely and compliantly with patients and Business Associates.

How Do You Keep Your Communications Secure

Keeping your communications with your patients secure and compliant involves two major components. The first is the data must be secure, meaning it must be encrypted.

The second piece is data retention. For example, most of the time, texting with patients is not considered compliant. You can not retain text messages in patients chart.

Jim Johnson made several fairly basic suggestions we should all be using.

  • When using subscription services to (such as GSuite, Office 365) be sure to use the correct subscription for HIPAA compliance. They are always paid subscriptions and most often do require to be paid above the basic level.

  • BYOD - do not allow employees to Bring Their Own Devices. You cannot control how these are used, and where they are used. If employees do bring their own devices, make sure to create a policy around the use of these personal devices.

  • Create “actionable policies and procedures.”

  • Know what steps need to be made in the case of a breach or improper disclosure

  • Know who to report the breach to

  • Know the time frame the breach needs to be reported in

  • Know the Federal and State breach notification reporting requirements

  • Office for Civil Rights (OCR) oversees HIPAA Compliance within Department of Health and Human Services (HHS)

  • Business Associate reports to Covered Entity

  • Covered Entity reports to Office for Civil Rights

  • Have Business Associate Agreements in place with all of your vendors and subcontractors (including cloud vendors such as G-Suite and Office 365)

  • Do a Security Risk Assessment


A few other items Jim Johnson discussed were in relation to patients emailing providers, submitting electronic versions of their intake forms and insurance cards, and online reviews.

Patients Emailing Providers

If a patient emails a healthcare provider, since they are