Skip to main content
Help

Communication of protected health information (PHI) with others both internal and external to UNC Health and to our patients is a critical function necessary to the ongoing operations of our health care enterprise. When PHI is shared in a communication between individuals/entities, the communication must be secure regardless of the medium in which the communication occurs. The following are summaries of UNC Health HIPAA policies governing the requirements for sending PHI via text message and via email.

Texting PHI is Permitted as Follows:

Purpose of Text Message Sent by & Sent to Permitted? Requirements More Information
Appointment Reminder

via system-wide automated patient appointment reminder

Sent by: Participating UNC Health areas only

Sent to: patients

Yes Must participate via the official UNC Health text appointment reminder application

Appointment Reminders MAY NOT be sent via any other application or by clinics/employees independently.

Texting PHI Sent by: nurses, physicians or other clinical care staff (internal)

Sent to: nurses, physicians or other clinical care staff (internal or external)

Yes ​– for limited situations for treatment purposes only Texting PHI for treatment purposes among providers and staff is permitted by UNC Health policy through:

  • The Vocera application and Vocera device (for approved users of Vocera  and among internal staff/providers only)
Texting Pictures of Patients or Patient Care Activities
such as pictures of wounds with identifying information (such as patient’s MRN)
Sent by: nurses, physicians or other clinical care staff (internal)

Sent to:nurses, physicians or other clinical care staff (internal or external)

Yes ​– for limited situations Texting pictures of patient information such as wounds for treatment purposes among treating providers is permitted by UNC Health policy when

  • Using the Epic Haiku application (picture is taken with a cell phone and uploaded to Epic through the approved Haiku application)

 

Pictures of patient treatment areas may be taken using a cellphone and uploaded via the Haiku application – only available for institutions that are on Epic. For more information contact your information security helpdesk.
Texting De-identified Pictures of Patients or Patient Care Activities

such as pictures of wounds

Sent by: nurses, physicians or other clinical care staff

Sent to: nurses, physicians or other clinical care staff

Yes – but preference is to send these photos through Epic Haiku application ​All patient identifiers must be removed (i.e., no name, MRN, demographic data, dates of services, DOB, SSN, etc.). ​Texting a de-identified picture is not a privacy violation. However, by taking a picture of a wound with a personal cell phone and sending it to another UNC Health provider (such as a resident sending a picture to an attending) may raise questions by a patient on whether their data is properly protected. Additional professional issues may be raised. Therefore, the Privacy Office does not recommend that de-identified pictures of patients or patient body parts be sent outside of the Epic Haiku application.
Texting Patients

for any reason associated with their care – messages sent unencrypted

Sent by: nurses, physicians or other clinical care staff

Sent to: patients or their family/friends/or caregivers

Yes – for limited purposes
  1. Must have the patient sign the UNC Health Authorization for Electronic Communication
  2. Must not text any sensitive PHI (SS#s, DL#, financial info or sensitive medical information)
  3. Text messages may only be sent to patients for permitted purposes set forth in this policy.
  4. Patients may not respond with text messages using free text (patients may only respond with preprogrammed replies (i.e., text #1 for yes, #2 for no, etc)
Texting Patients

for any reason associated with their care – messages sent encrypted

Sent by: nurses, physicians or other clinical care staff

Sent to: patients or their family/friends/ or caregivers

Yes
  1. Must have the patient sign the UNC Health Authorization for Electronic Communication
  2. Must not text any sensitive PHI (SS#s, DL#, financial info, or sensitive medical information)
  3. Text messages may only be sent to patients for permitted purposes set forth in policy.
 

Must use a third-party vendor approved application to send encrypted communications to the patient. Must have Privacy Office approval for vendor application. Vendor must be vetted through UNC Health ISD Architecture Review Board.

Emailing PHI is Permitted as Follows:

Safeguards UNC Health Internal Message (between UNC Health email accounts @unchealth.unc.edu) Messages between UNC Health email accounts and SOM email accounts (@med.unc.edu) Messages between UNC Health email account and external accounts (i.e., gmail.com, gov.com)
Inspect address of intended recipients before sending; avoid sending to distribution lists unless recipient addresses can be inspected. Required Required Required
ALWAYS ensure that recipients are authorized to obtain the PHI Required Required Required
Encrypt the email during transmission System Provided System Provided Required
Encrypt the PHI content:

  1. In message body
  2. In file attachment
  1. Not Required
  2. Required if there are more than 499 unique identities in the file
  1. Required
  2. Required
  1. Required
  2. Required
Label the message “Confidential” on the first line within the body of the message Recommended Required Required
Type (secure) in the subject line to encrypt the message. Be sure an include the parentheses and add a space after the last parentheses Not Required Not Required Required