Appointment reminder regulation increased under new HIPAA Privacy Rule. Under the HIPAA Privacy Rule, covered entities (CEs) are restricted in how they are permitted to use and disclose protected health information (PHI). However, CEs may disclose PHI without authorization if the disclosure relates to the treatment, payment, or healthcare operations. To conduct business, CEs often provide patients with patient appointment reminders. As appointment reminders are considered part of the treatment of patients, they are permitted without prior authorization from the patient.
What is Permitted to be Disclosed in a Patient Appointment Reminder?
Sending patient appointment reminders via mail, email, or leaving a voicemail reminder, are permitted; however, before sending patients email reminders, covered entities must ensure that they have adequate safeguards in place securing the information.
When issuing patient appointment reminders, covered entities must restrict the information that they disclose in the reminder. The HIPAA Privacy Rule mandates that disclosure of PHI adheres to the minimum necessary standard. As such, when issuing patient appointment reminders, covered entities should only disclose the information needed to confirm the appointment.
The type of information that may be disclosed for appointment reminders are as follows:
- Patient’s name
- Appointment date and time
- Covered entity’s name
- Covered entity’s phone number
Disclosing information such as the nature of the patient’s appointment is considered an unauthorized disclosure of PHI. Covered entities should never disclose information regarding a patient’s treatment, health condition, or test results (via phone, email, or mail) unless patients sign an authorization form permitting their information to be disclosed in this manner. Disclosing health information without prior consent can result in the accidental disclosure of PHI, as a patient’s family member or friend may have access to the patient’s voicemail, email, or mail.
Although disclosing health information to a patient’s family member or friend is not permitted without authorization, covered entities may leave a message with a person other than the patient, provided that no health information is disclosed.