HIPAA Compliance: The Good, The Bad, and the Ugly

If your practice is operating remotely, it’s more important than ever to make sure you’re up on HIPAA compliance. In order to do this, you need to familiarize yourself with the good, the bad, and the ugly.

The Good


This is an example of a good email. There’s no protected health information (PHI) in the subject line, which would be considered publicly viewable. The email is addressed to one person, and that recipient can’t see the emails of any other patients – email addresses are also considered PHI. The patient’s first name is given and a link is provided to test results in another portal. If you’re using a properly encrypted service to send this, you would be taking reasonable precautions to send this compliant email.

The Bad

This email is addressed to one person and doesn’t specify a type of appointment in the subject line. However, last names are included in PHI. Subject lines should be considered something that can be seen by anyone. We don’t recommend including last names in subject lines. Instead, you could say, “Hi Kate, it’s time to schedule your next appointment”

The Ugly

Ugly email

This email gets one thing right. It addresses the patient by first name only in the subject line, which would not be considered protected health information However, the recipients can see each other’s emails, as well as information on the purpose for an intended future visit. Sharing any PHI with an unintended recipient is a HIPAA violation.

Current HIPAA Problems From COVID-19

While it was already on the rise, COVID-19 has resulted in a significant increase in remote care. This includes telehealth, health monitoring, messaging between patients and practitioners, and more. Patients are interested in gaining better access to their health care practitioners from their homes during this time. Despite the pandemic contributing to the increase, remote care popularity isn’t a passing fad – 83% of patients are now saying that they will continue to use it after COVID-19 subsides. 

If you’ve been working on shifting your practice to accommodate remote care, there’s a lot to consider. This includes how you communicate with patients while protecting their information and maintaining privacy.

The Pain of Not Solving the Problem 

If you don’t solve the problem of how to best communicate remotely with your patients, your practice could suffer. For example, if you mishandle medical records, you could lose patients, incur large fines, or even worse, have to close your practice. 

However, choosing proper forms of communication for remote care goes beyond that. You also want to choose a method that is easy to use for patients and makes them feel secure. Failure to communicate could mean a reduction in booked appointments, lost revenue, and possible closure.

What HIPAA Compliance Means in a Digital World 

You should look at HIPAA compliance in a digital setting from two angles: First, what you use for technology, and second, what you do with that technology.

Choosing the right technology

Before you settle on a solution for remote care, like messaging or telehealth, you need to make sure you’re choosing something that is HIPAA-compliant. If the tools in your consideration set are ones you use in your everyday life, there’s a good chance that they aren’t HIPAA-compliant out of the box. HIPAA-compliant technology needs to check quite a few boxes, including, but not limited to, the following:

  • Any Protected Health Information (PHI) you send needs to be encrypted in transit and at rest. 
  • Every medical professional who uses the technology needs to have a unique identifier as a user so that their activities with PHI are monitored. 
  • Any technology used needs to have an automatic log-off when not being used to prevent unauthorized access from mobile or desktop devices.

Even if a piece of technology isn’t HIPAA-compliant by default, it doesn’t mean you can’t add layers of security on top of it to make it compliant. Even Gmail can be HIPAA-compliant with the right added measures. When you’re looking to adopt a software internally, make sure you understand what encryption and safety measures come with the standard version, and what could be done to make the tool HIPAA-compliant before adopting it.

Knowing what to do with the technology you have

Next, compliance comes down to what you do with the technology. We’ll use the examples of texting with patients, responding to online reviews, and conducting marketing campaigns. While there isn’t a rule against sending PHI across text messages if the technology you’re using is HIPAA-compliant, the best way to avoid any trouble is to keep it out of text messaging. You can use texts to send appointment reminders without disclosing any sensitive patient information. 

Before you text a patient with messaging containing PHI, if you choose to do that, it’s a good idea to get consent from them, acknowledging that they understand the possible risk of unauthorized disclosure that goes along with text messaging. 

When you respond to online reviews, you’ll be writing a response that is publicly available. It should not include any PHI whatsoever. Speak in generalities, thank the person for a good review or request a follow-up for a negative review, and leave it at that. 

Here’s an example of a good response to an online review:  “Thank you so much for your review and feedback.  I am so happy to hear that you had a positive experience with all of us at the office.  Should you ever need anything at anytime, please don’t hesitate to call or email us!”

Marketing campaigns are likewise public-facing. You don’t want to share anything that discloses any patient information on a marketing campaign without a patient’s consent. You also can’t market to anyone using PHI without direct authorization from the patient, or market to a patient without prior authorization. If this is something you’d like to do with patients to market additional services, make sure you include that in your paperwork.

How to vet a solution that keeps you and your patients’ privacy in mind

When you’re evaluating a solution that will operate in you and your patients’ best interests, ask yourself the following questions: 

Can your tool ensure encryption in transit and at rest?

You should find out how your tool encrypts data both when it’s being sent and once it reaches its final destination. This isn’t the easiest question to answer, because “at rest” can mean a lot of things, including in physical storage, backups, virtual machines, and databases. “Transit” can also mean a lot of things, including paths originating everywhere from the database to API servers and ending everywhere from app servers to the end user’s clients, including mobile devices. 

In short, encryption can be a very complex subject, so simply asking about encryption isn’t going to solve your problem. Whatever vendor you go with should be able to explain how their particular tool encrypts data at rest and in transit.

Does the tool offer unique IDs for each medical professional using it? 

If there is a HIPAA violation or a data breach, what you want to be able to do is pinpoint the problem quickly to prevent more mistakes from happening. If you can’t quickly and easily identify the source of the problem because everyone has the same ID or users share IDs, that will slow down your problem-solving. Make sure that each user of your system has a unique ID.

Does the solution have automatic log-off when someone in your practice isn’t using it?

Even if you have unique IDs for everyone at your practice, someone may be forgetful and not log out of their machine. Then the next person may come along, see an open computer, and start working on it without logging out and back in. The best way to prevent this is to have a tool that offers automatic log-off after a certain period of inactivity.

Is the tool easy to use, or does it require additional downloads of software or new logins for your patients?

Beyond security, you want to make sure what you choose is user-friendly. Any time you increase the burden on the patient to figure out a new tool that you’ve brought to your practice, the lower the adoption rate will be among your patients. Your best bet is to introduce something that works without logins and takes patients exactly where they need to be for things like bill pay and telemedicine appointments. Lower the barrier to usage wherever possible without sacrificing patient safety.

How NexHealth can help you stay compliant during COVID-19

While you could adapt technology to make it HIPAA-compliant, NexHealth’s tools are compliant from the start. NexHealth also offers a free telehealth platform to get providers through COVID-19. It is safe and secure, and can be easily accessed via a link in patients’ inboxes or phones. There are no extra logins required to start an appointment. You can also create live appointments by integrating the telehealth platform with your already existing practice management software.


You know how important HIPAA-compliant tools are. But what about the second piece of the puzzle: Making sure you’re using these tools in a way that’s also fully compliant.

…It can be a little tricky to navigate. So if you’re feeling at all iffy, join our free webinar & we’ll clear things up!

You may also like

Comments are closed.