As winter fades and spring arrives, many practices take time to reset routines—organizing schedules, refreshing workflows, and clearing out what no longer serves them. Spring is also a good moment to take a fresh look at how we communicate. Email, texting, and messaging tools make healthcare faster and more connected than ever, but they also introduce some of the most common HIPAA risks.
HIPAA doesn’t prohibit electronic communication. In fact, it recognizes that modern care depends on it. What HIPAA does require is that communication involving Protected Health Information (PHI) is handled thoughtfully, securely, and with intention. This session focuses on when PHI can be emailed or texted, which tools are appropriate, and how small mistakes can quickly become big problems.
Email and texting feel informal. They’re quick, convenient, and deeply ingrained in daily work. That informality is exactly what makes them risky. When people feel rushed or comfortable, they’re more likely to:
Skip double-checking recipients
Include more information than necessary
Use personal devices or accounts
Assume security where there isn’t any
Most HIPAA incidents involving communication are not caused by malicious intent. They’re caused by speed, habit, and assumptions.
Spring cleaning isn’t just about physical spaces—it’s about clearing out risky communication habits that have quietly built up over time.
Email can be used to communicate PHI if it is done securely and appropriately. What “secure” means depends on the systems your practice has approved.
In general:
Work email systems with proper safeguards may be acceptable
Personal email accounts are usually not
Sending PHI to the wrong recipient is still a violation—even if the system is secure
Email should be used purposefully, not casually. Including PHI “just in case” or because it’s easier can increase risk without adding value.
Before sending an email with PHI, pause and ask:
Is email the right tool for this message?
Does the recipient need all of this information?
Am I sending this to the correct person?
That pause is often enough to prevent an incident.
Texting is one of the most misunderstood areas of HIPAA. Many people assume that texting PHI is always forbidden. Others assume it’s fine because “everyone does it.” The truth lies in the middle.
Texting PHI may be allowed only if:
The platform is approved by the practice
Appropriate safeguards are in place
The information shared is limited to what’s necessary
Standard SMS texting and personal messaging apps are typically not secure enough for PHI. Even if a message feels harmless, phones can be lost, shared, or accessed by others.
A common risk in spring and summer months is staff working remotely, covering shifts, or using personal devices more frequently. These situations increase the temptation to text quickly instead of using approved systems.
Convenience should never outweigh security.
Internal messaging platforms can be useful—but they can also create a false sense of safety. Just because a message stays “inside the system” doesn’t mean it’s risk-free.
Common messaging mistakes include:
Including full patient identifiers when not needed
Sending PHI to group chats
Answering “quick questions” with more detail than required
Forgetting that messages may be retained or audited
A good rule of thumb is to treat every message as discoverable. If you wouldn’t be comfortable seeing it reviewed later, it’s worth revising before sending.
Most messaging-related HIPAA issues follow predictable patterns:
Auto-fill errors: Selecting the wrong contact from a list
Reply-all accidents: Including unintended recipients
Forwarding without review: Passing along PHI without checking content
Tone drift: Treating work messages like casual personal texts
Spring is a good time to reset these habits. Slowing down by a few seconds can prevent weeks—or months—of remediation work.
Consider these situations:
You receive an email with PHI that wasn’t meant for you. Do you reply, forward it, or report it?
A coworker texts you asking for patient information because they “can’t get into the system.”
You’re covering for someone who’s out and need to communicate quickly—what tool do you use?
These moments happen every day. The goal isn’t perfection—it’s choosing the safest option available.
HIPAA-compliant communication doesn’t require complex steps. It requires intentional habits:
Verify recipients before sending
Use approved systems consistently
Share the minimum necessary information
Avoid personal accounts and devices unless explicitly approved
Report mistakes immediately—early reporting limits impact
Just like spring cleaning creates clearer, more functional spaces, these habits create cleaner, safer communication workflows.
Spring represents renewal. It’s a chance to refresh how we work and recommit to practices that protect both patients and staff. Secure communication is part of quality care, not an obstacle to it.
Every email, text, or message is an opportunity to build trust—or to risk it. By being thoughtful about how we communicate, we protect patient privacy, support our coworkers, and strengthen the practice as a whole.
As the days get longer and workflows get busier, let this season be a reminder to slow down just enough to communicate safely.
Clear messages. Secure tools. Better habits.