Explicit Consent is required in order to communicate with a patient or customer.

I, [Patient Name], hereby consent and state my preference to have my physician, [Physician Name], and other staff at [Practice Name] communicate with me by email or standard SMS messaging regarding various aspects of my medical care, which may include, but shall not be limited to, test results, prescriptions, appointments, and billing. I understand that email and standard SMS messaging are not confidential methods of communication and may be insecure. I further understand that, because of this, there is a risk that email and standard SMS messaging regarding my medical care might be intercepted and read by a third party. As in the previous scenario, providers should always implement reasonable safeguards before using any communication method. Furthermore, this type of consent only applies to communication between a provider and the patient.

Terms and Conditions

The use of unencrypted email in such a case was clarified by HHS in published commentary to the 2013 HIPAA Omnibus Rule. A provider can send a patient unencrypted email (and presumably texts) when the provider has done the following:

  • Provided warning that unencrypted emails and texts may be insecure;
  • Advised the patient of the risks of unencrypted emails and texts (the provider doesn’t need to get into the details of encryption technology; he or she merely needs to explain that there is some risk of the messages being read by a third party);
  • Received confirmation from the patient that he or she “still prefers” to receive communication via text or email, notwithstanding the risks.

In this scenario, explicit patient consent should be documented to manage the provider’s liability—it is not enough to notify the patient and then assume that their silence is equivalent to consent.