.svg){kind=icon}
Question
Welcome to a Bite-Size HIPAA® Q&A article, where we answer your questions about how HIPAA applies to your dental practice. We recently received the following question in our Bite-Size HIPAA® Q&A inbox. The writer says:
"Hey Todd, I have a quick question regarding HIPAA. We send two-sided postcards through the mail as reminders for all our hygiene appointments. The information on both sides of the card is visible. Does this violate HIPAA’s privacy standards since it contains our practice information, the patient’s name, address, as well as the appointment time?"
Is It PHI?
Thank you for your question! If you have been watching my videos for awhile, I am sure you have heard me say that just the fact that an individual is a patient of your practice is protected health information. So, if that is the case, it seems like sending out a postcard in the mail with your practice name and the patient name would be a violation. Let’s see what the HIPAA law has to say about sending out appointment reminder postcards.
Our first step is always to ask if the information transmitted is considered protected health information? Here, the answer is clearly yes. As I said earlier, the patient’s name, along with any details regarding an appointment or treatment, are indeed considered PHI, so HIPAA is applicable.
Three Exceptions
Next, we need to figure out when HIPAA allows the disclosure. Remember our basic rule is that you cannot disclose PHI without patient authorization, unless there is a specific permitted disclosure rule that applies. The permitted disclosure rule that applies to this question is the rule for disclosures for treatment purposes. Any communication about an appointment, either a reminder or follow up, is part of the patient’s treatment, so you can make the disclosure without a patient authorization. But the meat of this question is really about whether the form of communication is allowed. Let’s look a little deeper at the law to see what it has to say about this.
The HIPAA Law
HIPAA does not explicitly prohibit using postcards for communicating PHI, but section 164.306 does require providers to implement reasonable safeguards to protect PHI from unauthorized access, and 164.502(b) requires providers to only disclose the minimum necessary amount of PHI to accomplish the intended use. Additionally, 164.522(b)(1) gives patients the right to request communication by alternative means to preserve confidentiality. To reasonably safeguard the individual’s privacy and comply with minimum necessary requirements, you should take care to limit the amount of information disclosed on the postcard.
For example, consider including only the patient’s name, the provider’s name (such as Dr. Smith), the date and time of the appointment, and a phone number to confirm. Certainly do not include any information about the type of treatment. If a patient requests that you communicate with them in a confidential manner, you must accommodate that request, if reasonable. For example, HHS considers a request to receive mailings from the covered entity in a closed envelope, rather than by postcard, to be a reasonable request that should be accommodated.
Summary
To summarize - HIPAA allows providers to communicate with patients via postcards, but you must limit the information disclosed to the minimum necessary amount and accommodate any reasonable request to communicate more securely.
Have a HIPAA Question?
If you have a HIPAA question related to the day-to-day operations of your dental practice, feel free to send it my way. My email address is todd(at)bitesizehipaa(dot)com. I can’t promise I’ll be able to get to every question submitted – but I’ll do my best to find the most applicable ones to address in future Bite-Size HIPAA® Q&As.
