Are Zanda SMS and Emails HIPAA Compliant?

Learn How to Send HIPAA Compliant SMS or Emails.

HIPAA Final Rule about Unencrypted email, therefore SMS*.

  • Covered Entities (practitioners) are allowed to provide electronically protected health information via unencrypted email or SMS if they have advised the individual (patients) of the risk, and the individual (patients) still prefers the unencrypted email or SMS.
  • Authorities do not expect covered entities to educate individuals about encryption technology and information security. Rather, they merely expect the covered entity to notify the individual that there may be some level of risk that a third party could read the information in the email or SMS.
  • Suppose individuals are notified of the risks and still prefer unencrypted email or SMS. In that case, the individual has the right to receive protected health information in that way, and covered entities are not responsible for unauthorized access (data breach) of protected health information while in transmission to the individual based on the individual’s request (consent).

* The HIPAA Final Rule regarding unencrypted email appears to have established a de facto standard within the industry for the handling of SMS messages that are unencrypted, despite the absence of formal endorsement.

How to Send Compliant HIPAA SMS or Emails:

  • Notify the individual that there may be some level of risk that a third party could read the information in the email or SMS.
  • Request authorization (consent) that the client is willing to accept the risk.
  • Document the client’s consent (record of consent).

 

Hint 💡

Use the Zanda Online Forms for collecting client information securely. The online forms can be embedded in SMS or emails. You can utilise the available user permissions and the online forms authentication feature for extra protection against unauthorised access to the client's online forms.