Don’t Use Webmail or Text Messages for Patient Info 


Webmail includes the free mail services available on the Internet, like Gmail, Yahoo! Mail, Hotmail, etc. plus free e-mail accounts you may receive with an Internet service from Verizon, Time-Warner, Cox Cable, Comcast, Century-Link, and others. Text messages include the services from cell carriers like Verizon, AT&T, T-Mobile, Sprint, and others.

These Services Are Free and So Easy. Why Can’t We Use Them?

Free webmail services are not secure methods of communication. While they may be fine for personal messages, they do not include the security required to communicate protected information, including medical records and lab and test results. 

Even e-mail messages you send to someone else in your office goes outside to the free webmail service and then back. Text messages are never deleted by the cell phone carriers. 

The recent scandals involving the media prove that text messages can be hacked. The companies that offer these services typically will not sign Business Associate Agreements, required for any organization that stores patient information, including any messages or attachments containing Protected Health Information (PHI.)

What Happens If We Use Webmail or Text Messages to Communicate Patient Information? 

In 2012 a small medical practice was using webmail to communicate patient information. They were also using an online calendar to schedule patient appointments. The practice was fined $ 100,000 and had to pay for notification costs for patients whose data was breached. It also had to implement secure communications and undergo a Corrective Action Plan to address their underlying lack of HIPAA compliance.

So What Should We Do? 

You have several choices. First you should immediately stop sending patient information by webmail or text messages. 

  1. You can use faxing or other methods to communicate patient data. You should not use a system that converts faxes to e-mail messages sent through a webmail account. 
  2. It is less expensive and easier now than ever to implement a Cloud-based secure e-mail system for communicating within your practice. Communicating patient information to anyone outside of your practice should be done using e-mail encryption. Cloud-based solutions like Microsoft Office 365 provide secure e-mail, including shared contacts and calendars, for a low monthly fee per user. An added benefit is you don’t have to purchase servers or Microsoft Office licenses. Best of all, Microsoft will sign a Business Associate Agreement. 
  3. If you use an Electronic Health Records (EHR) system it probably includes a portal through which you can securely communicate with patients. 
  4. You can subscribe to an e-mail encryption service that secures sensitive data. Instead of receiving an email containing protected information, your recipient receives an email inviting them to log into a secure site to retrieve the protected information. All they get is a message to log-in; no protected information is ever sent. 
  5. Text messages should be replaced by voice calls as long as any voice message you leave is not converted to an e-mail or text message through an unsecure service.

Where Can I Get More Information? 


Semel Consulting works with Covered Entities, Business Associates, and Subcontractors to properly manage HIPAA compliance.