Explicit Consent is required in order to communicate with a patient or customer.
I, [Patient Name], hereby consent and state my preference to have my physician, [Physician Name], and other staff at [Practice Name] communicate with me by email or standard SMS messaging regarding various aspects of my medical care, which may include, but shall not be limited to, test results, prescriptions, appointments, and billing. I understand that email and standard SMS messaging are not confidential methods of communication and may be insecure. I further understand that, because of this, there is a risk that email and standard SMS messaging regarding my medical care might be intercepted and read by a third party. As in the previous scenario, providers should always implement reasonable safeguards before using any communication method. Furthermore, this type of consent only applies to communication between a provider and the patient.
The use of unencrypted email in such a case was clarified by HHS in published commentary to the 2013 HIPAA Omnibus Rule. A provider can send a patient unencrypted email (and presumably texts) when the provider has done the following:
In this scenario, explicit patient consent should be documented to manage the provider’s liability—it is not enough to notify the patient and then assume that their silence is equivalent to consent.