Jim Sheldon-Dean has worked in HIPAA, health information privacy, and security regulatory compliance for 23 years. He speaks about HIPAA at conferences, conventions, and private educational sessions. I attended his webinar which discussed HIPAA, texting, and email.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal statute that prohibits the disclosure of patient health information (PHI) without the patient’s consent or knowledge. HIPAA seeks to prevent healthcare fraud by securing PHI and restricting access to health data. It mandates that all HIPAA-covered entities implement safeguards to secure sensitive personal and health information. (Why is HIPPA Important, The HIPAA Journal). HIPAA contains three rules: the privacy rule, the security rule, and the breach notification rule. The privacy rule governs uses and disclosures. The security rule applies to electronic PHI and employs a risk analysis to identify and plan the mitigation of security risks. The breach notification rule mandates that violations of PHI be reported to Health and Human Services (HHS) and the affected individuals.

The HIPAA Breach Notification Rule defines a breach as “an impermissible use or disclosure . . . that compromises the security or privacy of the protected health information.” In the event of a breach, entities must notify the affected individuals and HHS. Privacy breaches have detrimental effects on individuals and organizations. Noncompliant organizations incur penalties and fees, suffer reputational harm, and be subject to potential lawsuits. The exposure of the affected individuals name, address, credit card information, social security number, and medical conditions results in a loss of privacy and the potential for identity theft.

Patients and providers in healthcare are increasingly communicating through email and text messaging. Many patients prefer email or text messaging because it is a quick and convenient way for managing appointments, receiving test results, and asking healthcare related questions. Providers also prefer email and text messaging to access patient information, communicate with hospital staff, and maintain an appointment calendar.

While texting may be convenient in healthcare, it also has many shortcomings. Most importantly, there is an increased risk of violating HIPAA. Email and text messaging are insecure forms of communication that may be accessed or exposed by unknown third parties. Furthermore, there is no straightforward method for physicians to document the email or texting encounter. Finally, the inability to prioritize incoming text messages, may result in a crucial test result sitting in the patient’s inbox for more than 24 hours.

To reduce the risk of breach, organizations and providers must remain flexible. Organizations should provide and promote the use of secure communication solutions. Hospitals should educate staff on the dangers associated with plain email and explain what should not be sent through email or text message. There are also secure private emails and secure text messaging applications that can be used to safeguard communications of PHI. Cortext by Imprivata, TigerText, DocHalo are some secure text messaging and email options physicians can use. Lastly, it is essential for organizations to implement policies and procedures governing the use of email and text messaging. These policies should include a risk analysis, a process for approving and monitoring uses, guidelines for acceptable email and text messaging interactions, and the identification of secure services.

Overall, organizations should facilitate and try to comply with patient requests as much as possible. Patients have the right to choose their preferred mode of communication, even if it is an insecure method. However, providers should explain the risks associated with insecure communication methods, obtain the patient’s consent, and notify those with whom the patient communicates of their preference. Having policies in place will enable physicians to document and manage these requests appropriately.

In conclusion, email and text messaging are inherently insecure forms of communication. Even if individuals have a right to use insecure means of communication, they must be informed of the potential for security breaches. Recognizing the inevitability of these communications, healthcare organizations should implement policies addressing email and texting, and ensure these modes of communication are HIPAA compliant.

In the months since Dobbs v. Jackson Women’s Health, access to birth control has become a contentious topic. Whether individuals have access to hormonal birth control is becoming a fear for people who rely on it for health reasons including regulating hormones and improving acne. Allowing pharmacists to prescribe and dispense hormonal birth control would help mitigate barriers and expand access to contraception.

Since 2020, more than ten states have expanded or strengthened pharmacists’ prescriptive power to include contraceptives. That means there are now twenty-four states and Washington DC that permit pharmacists to prescribe this important medication. There are many benefits to allowing pharmacists to prescribe and dispense hormonal birth control. Pharmacies are more accessible than a clinic or hospitals in many communities, they generally have more accessible hours, and do not always require appointments. These benefits allow more people to have convenient access to hormonal birth control.

Additionally, research has demonstrated that patients are in favor of increasing prescription power because of convenience and accessibility. A study in California found that seventy-four percent of survey respondents chose to visit a pharmacist for contraception because it would be quicker than getting a doctor’s appointment. Real-world applications of this have already taken place in states like Oregon. Two years after Oregon implemented its pharmacist-prescribed contraception protocol, it prevented an estimated 51 unintended pregnancies and saved the state $1.6 million.

Even with all the benefits, expanding pharmacists’ roles creates some challenges. To begin these programs, states must implement sufficient billing infrastructure, find ways to pay pharmacists for their extra services, comply with privacy and confidentiality standards, and make sure pharmacists are adequately trained in prescribing hormonal birth control to ensure patient safety.

There are multiple legal and regulatory processes that must be put into place to allow pharmacists to expand prescribing power. One potential process is giving pharmacists outright prescriptive authority, which allows pharmacists independent power to prescribe hormonal birth control. This framework specifies certain conditions where pharmacists are authorized to prescribe certain medications. Pharmacists are given specific procedures from a state board of pharmacy, and they are required to follow the instructions given when prescribing birth control to patients. Another option is implementing a collaborative practice agreement. In this framework, pharmacists and pharmacies are in partnership with other healthcare providers, and the pharmacists are authorized by physicians to select, initiate, monitor, continue, and adjust medication regimens for patients.

By implementing these programs, individuals will be able to get birth control in a more convenient way. This is especially important for women and individuals needing birth control in a post-Dobbs world where access to contraceptives is being challenged throughout the courts.