top of page
Writer's pictureVanessa Higgins

Is Your Patient Communication HIPAA Compliant?


I participated in a webinar hosted by Trizetto How to Keep Your Patient Communication Secure and Compliant in 2018, which was presented by Jim Johnson, President and Founder at Live Compliance.

I webinar was superbly done. Jim Johnson was knowledgeable, while presenting the information in a way that made it clear and very understandable.

It is a complicated topic, and it is not always easy to understand how to communicate securely and compliantly with patients and Business Associates.

How Do You Keep Your Communications Secure

Keeping your communications with your patients secure and compliant involves two major components. The first is the data must be secure, meaning it must be encrypted.

The second piece is data retention. For example, most of the time, texting with patients is not considered compliant. You can not retain text messages in patients chart.

Jim Johnson made several fairly basic suggestions we should all be using.

  • When using subscription services to (such as GSuite, Office 365) be sure to use the correct subscription for HIPAA compliance. They are always paid subscriptions and most often do require to be paid above the basic level.

  • BYOD - do not allow employees to Bring Their Own Devices. You cannot control how these are used, and where they are used. If employees do bring their own devices, make sure to create a policy around the use of these personal devices.

  • Create “actionable policies and procedures.”

  • Know what steps need to be made in the case of a breach or improper disclosure

  • Know who to report the breach to

  • Know the time frame the breach needs to be reported in

  • Know the Federal and State breach notification reporting requirements

  • Office for Civil Rights (OCR) oversees HIPAA Compliance within Department of Health and Human Services (HHS)

  • Business Associate reports to Covered Entity

  • Covered Entity reports to Office for Civil Rights

  • Have Business Associate Agreements in place with all of your vendors and subcontractors (including cloud vendors such as G-Suite and Office 365)

  • Do a Security Risk Assessment


A few other items Jim Johnson discussed were in relation to patients emailing providers, submitting electronic versions of their intake forms and insurance cards, and online reviews.

Patients Emailing Providers

If a patient emails a healthcare provider, since they are

initiating the email, they are giving approval for communicating in this way. Given that, it is ideal to be able to respond through encrypted email.

Electronic Intake Forms and Receiving Insurance Cards

Again, this is not ideal. Although they are initiating the communication, respond securely. If unable to email securely, do not respond, or call the patient. Do not ask for information containing PHI from your patients through email.

Online Reviews

Patients are able to write reviews online and sometimes they may leave reviews that aren’t so flattering. It is understandable the provider wants to defend their reputation and respond to the patients complaints. Jim Johnson was definitive in stating this is never a good idea to engage the patient in this way. He suggests simply responding to the review by thanking the patient for their comment, and to please call the office to discuss their issues.

If you are confused about HIPAA Compliant communication with your patients, or have questions, or would just like to leave a comment, head over to our Forums, where the conversations can begin!

20 views0 comments

Recent Posts

See All
bottom of page