Do you need to obtain the patient's authorization to email reports and surveys?

HIPAA allows health care providers to use e-mail and text message to communicate health issues and treatment with their patients as long as reasonable safeguards are used. The HIPAA Standards:

  • HIPAA Standard 164.312(d) – Adopt procedures to verify that persons or entities seeking access ePHI are who they claim to be.
  • HIPAA Standard 164.306(b) – Implement reasonable and appropriate security measures.

⚠️ HIPAA does not apply outside the United States. Please research your countries laws if you are outside of the United States.

ChiroUp encrypts all outgoing patient communication. ChiroUp also requires each patient to accept the HealthCom.io terms of use (including an authorization to communicate via various channels) before accessing their subsequent condition reports and exercise plans. However, this occurs after you send the initial email.

If required, providers may choose to obtain additional authorization via written consent and/or verbally:

Written authorization to include on intake paperwork:

I authorize the providers, staff, and professional affiliates of this clinic to relay relevant information to me via various channels, including but not limited to mail, phone, fax, text, email, mobile app, secure website portals, and private social media messages. I understand that HIPAA permits the use of unencrypted communication channels as long as reasonable safeguards are applied and HIPAA security rules are followed, and with that understanding, I authorize the above-listed methods. I do not necessarily expect this clinic to reply to my communications via all of these channels and agree to communicate with this clinic via phone or email if a response is not received on another channel in a timely fashion.

Example verbiage to incorporate into SOAP Notes following a verbal discussion:

I discussed potential means of communication with the patient today. We specifically discussed that I will routinely be relaying information about their condition as well as pertinent exercises and advice. The patient agreed to allow the providers, staff, and professional affiliates of our clinic to relay relevant information or surveys to them via various channels, including but not limited to mail, phone, fax, text, email, mobile app, secure website portals, and private social media messages. I explained to the patient that they should not necessarily expect this clinic to reply to their communications via all of these channels, and they agreed to communicate with this clinic via phone or email if a response is not received in a timely fashion on another channel. They understood the need to relay urgent information by phone or email, and to summon emergency medical personnel for any emergent concerns. I also explained secure vs unsecure communication and that HIPAA permits the use of unencrypted communication channels as long as reasonable safeguards are applied and HIPAA security rules are followed. I explained the need for the patient to utilize a HIPAA-compliant means of communication for any communication that they initiate. With that explanation, the patient agreed to and authorized all of the above-listed methods of communication.

Was this article helpful?