Texting and Emailing PHI
Communication of protected health information (PHI) with others both internal and external to UNC Health and to our patients is a critical function necessary to the ongoing operations of our health care enterprise. When PHI is shared in a communication between individuals/entities, the communication must be secure regardless of the medium in which the communication occurs. The following are summaries of UNC Health HIPAA policies governing the requirements for sending PHI via text message and via email.
Texting PHI is Permitted as Follows:
Purpose of Text Message | Sent by & Sent to | Permitted? | Requirements | More Information |
Appointment Reminder
via system-wide automated patient appointment reminder |
Sent by: Participating UNC Health areas only
Sent to: patients |
Yes | Must participate via the official UNC Health text appointment reminder application
Appointment Reminders MAY NOT be sent via any other application or by clinics/employees independently. |
|
Texting PHI | Sent by: nurses, physicians or other clinical care staff (internal)
Sent to: nurses, physicians or other clinical care staff (internal or external) |
Yes – for limited situations for treatment purposes only | Texting PHI for treatment purposes among providers and staff is permitted by UNC Health policy through:
|
|
Texting Pictures of Patients or Patient Care Activities such as pictures of wounds with identifying information (such as patient’s MRN) |
Sent by: nurses, physicians or other clinical care staff (internal)
Sent to:nurses, physicians or other clinical care staff (internal or external) |
Yes – for limited situations | Texting pictures of patient information such as wounds for treatment purposes among treating providers is permitted by UNC Health policy when
|
Pictures of patient treatment areas may be taken using a cellphone and uploaded via the Haiku application – only available for institutions that are on Epic. For more information contact your information security helpdesk. |
Texting De-identified Pictures of Patients or Patient Care Activities
such as pictures of wounds |
Sent by: nurses, physicians or other clinical care staff
Sent to: nurses, physicians or other clinical care staff |
Yes – but preference is to send these photos through Epic Haiku application | All patient identifiers must be removed (i.e., no name, MRN, demographic data, dates of services, DOB, SSN, etc.). | Texting a de-identified picture is not a privacy violation. However, by taking a picture of a wound with a personal cell phone and sending it to another UNC Health provider (such as a resident sending a picture to an attending) may raise questions by a patient on whether their data is properly protected. Additional professional issues may be raised. Therefore, the Privacy Office does not recommend that de-identified pictures of patients or patient body parts be sent outside of the Epic Haiku application. |
Texting Patients
for any reason associated with their care – messages sent unencrypted |
Sent by: nurses, physicians or other clinical care staff
Sent to: patients or their family/friends/or caregivers |
Yes – for limited purposes |
|
|
Texting Patients
for any reason associated with their care – messages sent encrypted |
Sent by: nurses, physicians or other clinical care staff
Sent to: patients or their family/friends/ or caregivers |
Yes |
|
Must use a third-party vendor approved application to send encrypted communications to the patient. Must have Privacy Office approval for vendor application. Vendor must be vetted through UNC Health ISD Architecture Review Board. |
Emailing PHI is Permitted as Follows:
Safeguards | UNC Health Internal Message (between UNC Health email accounts @unchealth.unc.edu) | Messages between UNC Health email accounts and SOM email accounts (@med.unc.edu) | Messages between UNC Health email account and external accounts (i.e., gmail.com, gov.com) |
Inspect address of intended recipients before sending; avoid sending to distribution lists unless recipient addresses can be inspected. | Required | Required | Required |
ALWAYS ensure that recipients are authorized to obtain the PHI | Required | Required | Required |
Encrypt the email during transmission | System Provided | System Provided | Required |
Encrypt the PHI content:
|
|
|
|
Label the message “Confidential” on the first line within the body of the message | Recommended | Required | Required |
Type (secure) in the subject line to encrypt the message. Be sure an include the parentheses and add a space after the last parentheses | Not Required | Not Required | Required |