Why text and email use face a host of regulatory constraints
Communication by text or email is a part of daily life. Such forms of communication occur non-stop and through a variety of means, whether it be Gmail, WhatsApp, iMessage or any other number of services.
However, the question that arises just as frequently is whether texting or email are appropriate in healthcare. The simple answer is yes—texting and email fit very well into healthcare and are very much permissible.
However, staying at the level of the simple answer is not sufficient. It is necessary to dive deeper and determine just how text and email communication can be done. Answering the more nuanced question largely depends upon the purpose of the communication. The purpose can be broken into two primary categories—marketing or provision of information. As would be expected, marketing communications create more concern and require attention to a wider array of regulatory requirements.
Regardless of the purpose of the communication, HIPAA is a driving force behind what a healthcare provider or entity can do when it comes to texting and emailing. Hopefully it is well known, but the HIPAA Privacy and Security Rules influence what communication tools can be used. If the healthcare entity is initiating the communication, then any such communication must carefully adhere to privacy and security requirements.
Because any communication tool will most likely not just transmit but store the data sent, the communication tool will be considered a business associate and all attendant requirements (implementing a business associate agreement) apply. However, if a patient requests that a provider send a record or other communication by email, then some of those concerns may be reduced. No matter who starts the communication though, HIPAA must be considered.
The other side to HIPAA is whether marketing communications are allowed. As a general matter, pretty much all marketing requires patient authorization under HIPAA. There are some forms of communication that do not require authorization, but those exceptions are not very broad.
The discussion in the preceding paragraphs is only a taste of how HIPAA impacts the use of texting and email. That being said, the key takeaway is that texting and emailing can occur. It may not be a publicly available tool like Gmail that can be used, but there are options. Such an approach helps to dispel the common misconception that HIPAA prohibits or otherwise prevents the use of texting or email.
While HIPAA is clearly a healthcare-specific law, any entity or organization seeking to text or email an individual must consider other laws as well. Foremost among those laws are the Telephone Consumer Protection ACT (TCPA) for texting and the Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM) for email. These laws may not be readily known to healthcare entities, but lack of awareness is no defense to a violation.
TCPA is designed to protect privacy interests when it comes to phone-based communications, whether texting or phone calls. TCPA sets parameters as to how individuals can be contacted by companies. Obtaining consent to communicate by phone or text will generally solve potential issues under TCPA, but it is not always clear whether such consent has been provided. Many entities will also collect phone numbers without including consent to communication and then want to implement outreach by phone or text afterwards.
When seeking to use already collected information, going back to get consent is not high on the list of priorities. Healthcare benefits from some relief in that regard. Communications for treatment purposes are exempted from the consent requirement. Before celebrating and thinking that all healthcare communications are treatment related, guidance around the exemption spells out what constitutes treatment.
Further, there appears to be a requirement that any communication cannot result in a charge to the individual. Before sending a text, it is necessary to consider whether that will charge the individual or not. That question could be hard to answer. Again, like HIPAA, TCPA does not prohibit texting, it forces an organization to slow down and plan.
CAN-SPAM, as indicated, focuses upon email advertising. Generally, CAN-SPAM covers all commercial messages where the primary purpose is advertisement or promotion. As the acronym of the act implies, it is meant to help reduce the number of emails that we all receive. To avoid issues, seven principles have been laid out to flag an email as an advertisement or promotion:
- Make the header accurate and not false or misleading.
- Do not use deceptive subject lines.
- Identify the email as an advertisement.
- Tell recipients where the sender is located.
- Tell recipients how to opt out of future emails.
- Promptly honor all opt out requests.
- Monitor activities of vendors that may act on your behalf.
Additionally, question what the primary purpose of the email is. CAN-SPAM only applies if it is advertisement or promotion. If a transaction or relationship is the primary purpose, then CAN-SPAM does not apply. Unlike TCPA, there are no exceptions or carve outs for healthcare. Instead, healthcare must comply like all other industries.