Communication of protected health information (PHI) with others both internal and external to UNCHCS and to our patients is a critical function necessary to the ongoing operations of our health care enterprise. When PHI is shared in a communication between individuals/entities, the communication must be secure regardless of the medium in which the communication occurs. The following are summaries of UNCHCS HIPAA policies governing the requirements for sending PHI via text message and via email.

Texting PHI is Permitted as Follows:

Purpose of Text Message Sent by & Sent to Permitted? Requirements More Information
Appointment Reminder

via system-wide automated patient appointment reminder

Sent by: Participating UNCHCS areas only

Sent to: patients

Yes Must participate via the official UNCHCS text appointment reminder application

Appointment Reminders MAY NOT be sent via any other application or by clinics/employees independently.

Text Pictures of Patients or Patient Care Activities

such as pictures of wounds

Sent by: nurses, physicians or other clinical care staff

Sent to: nurses, physicians or other clinical care staff

No Texting pictures of patient information such as wounds for treatment purposes among treating providers is CURRENTLY not permitted by UNCHCS policy unless the picture is taken with a cell phone and uploaded to Epic through the approved HAIKU application. Pictures of patient treatment areas may be taken using a cellphone and uploaded via the Haiku application – only available for institutions that are on Epic. For more information contact your information security helpdesk.
Texting Patients

for any reason associated with their care – messages sent unencrypted

Sent by: nurses, physicians or other clinical care staff

Sent to: patients or their family/friends/or caregivers

Yes – for limited purposes
  1. Must have the patient sign the UNCHCS Authorization for Electronic Communication
  2. Must not text any sensitive PHI (SS#s, DL#, financial info or sensitive medical information)
  3. Text messages may only be sent to patients for permitted purposes set forth in this policy.
  4. Patients may not respond with text messages using free text (patients may only respond with preprogrammed replies (i.e., text #1 for yes, #2 for no, etc)
(Policy pending)
Texting Patients

for any reason associated with their care – messages sent encrypted

Sent by: nurses, physicians or other clinical care staff

Sent to: patients or their family/friends/ or caregivers

Yes
  1. Must have the patient sign the UNCHCS Authorization for Electronic Communication
  2. Must not text any sensitive PHI (SS#s, DL#, financial info, or sensitive medical information)
  3. Text messages may only be sent to patients for permitted purposes set forth in policy.
(Policy Pending)

Must use a third-party vendor approved application to send encrypted communications to the patient. Must have Privacy Office approval for vendor application. Vendor must be vetted through UNCHCS ISD Architecture Review Board.

Emailing PHI is Permitted as Follows:

Safeguards UNCHCS Internal Message (between UNCHCS email accounts @unchealth.unc.edu) Messages between UNCHCS email accounts and SOM email accounts (@med.unc.edu) Messages between UNCHCS email account and external accounts (i.e., gmail.com, gov.com)
Inspect address of intended recipients before sending; avoid sending to distribution lists. Required Required Required
ALWAYS ensure that recipients are authorized to obtain the PHI Required Required Required
Encrypt the email during transmission Not Required Required Required
Encrypt the PHI content:

  1. In message body
  2. In file attachment
  1. Not Required
  2. Required if there are more than 499 unique identities in the file
  1. Required
  2. Required
  1. Required
  2. Required
Label the message “Confidential” on the first line within the body of the message Recommended Required Required
Type (secure) in the subject line to encrypt the message. Be sure an include the parentheses and add a space after the last parentheses Not Required Required Required