All courses > Health > Nursing ::

HIPAA Compliance for Digital Messages: Email, Texting, EHR Chat, and Photos

Capítulo 6

Estimated reading time: 9 minutes

What makes a digital message “contain PHI” in practice

For digital communication, think of PHI as health-related information that can be tied to a specific person through the message itself or through context. A message can contain PHI even if it does not include a full name.

Common ways a message becomes PHI

Direct identifiers: patient name, date of birth, medical record number, phone number, email address, home address.
Indirect identifiers: room/bed number, unique diagnosis (“the only liver transplant patient”), a distinctive photo, or a combination like “Mrs. J in 4B with the new ostomy.”
Attachments and images: PDFs, screenshots, lab results, discharge instructions, wound photos, radiology images, or a photo of a whiteboard with patient details.
Metadata and context: a photo that shows a face, wristband, chart label, monitor screen, or even a timestamp and location that can connect the image to a patient encounter.

Quick self-check before you hit send

Does this message mention a patient’s care, condition, appointment, medication, test, or billing?
Could someone identify the patient from what I wrote, attached, or photographed?
Could the recipient identify the patient because they already know the context (unit, schedule, referral list)?

If any answer is “yes,” treat it as PHI and use only approved methods.

Approved vs. unapproved channels (plain-language rules)

Approved channels (typical examples)

Organization-approved secure messaging inside the EHR or a sanctioned clinical chat app.
Organization email when configured for secure transmission and used according to policy (often including encryption or a secure portal).
Secure file sharing approved by your organization (not consumer cloud links).

Unapproved channels (common pitfalls)

Personal email accounts (Gmail, Yahoo, etc.) for any PHI.
Standard SMS texting from a personal phone number or default texting app for any PHI.
Social media DMs or messaging apps not approved by the organization.
Personal cloud storage (personal iCloud/Google Drive/Dropbox) for photos, documents, or screenshots containing PHI.

When in doubt, assume a channel is unapproved until your organization confirms it is approved for PHI.

Using secure messaging tools appropriately (EHR chat and secure clinical chat)

Secure messaging tools help protect information, but they do not replace good habits. You still need to send only what is needed, to the right person, for the right purpose.

Step-by-step: sending a compliant secure message

Confirm you are in the approved tool (EHR chat or sanctioned clinical messaging app), not a look-alike consumer app.
Select the correct recipient from the directory (avoid typing free-form numbers or names when possible).
Use limited identifiers to reduce risk if the message is misrouted. Example: use MRN or initials + location per policy, rather than full demographics.
State the clinical need clearly and keep it focused (avoid extra background that isn’t needed for the task).
Avoid screenshots when the tool can link to the chart or reference an order/result directly.
Check for attachments and confirm they are necessary and appropriate.
Send, then document appropriately if your workflow requires it (some chats are not part of the legal medical record unless copied into the chart per policy).

Compliant vs. non-compliant examples (secure chat)

Scenario	Compliant	Non-compliant
Clarifying a medication order	Using EHR chat: `Room 412B, MRN 123456: Please confirm dose for heparin drip; current order shows 12 units/kg/hr.`	Texting a coworker’s personal phone: `Hey, for John Smith in 412B, should I run heparin at 12?`
Sharing a lab result	Secure message referencing the result in the chart: `MRN 123456: K+ is 2.9; replacement protocol started.`	Sending a screenshot of the lab screen that includes name/DOB and other results not needed.

Emailing PHI: how to do it safely

Email can be appropriate when your organization allows it and the message is protected according to policy. The biggest email risks are wrong recipients, unsecured forwarding, and attachments that spread PHI.

Continue in our app.

Listen to the audio with the screen off.
Earn a certificate upon completion.
Over 5000 courses for you to explore!

Or continue reading below...

Download the app

Step-by-step: sending PHI by email (when permitted)

Use only your organization email account and only within approved systems.
Verify the recipient address carefully: click the address to confirm it is the correct person (autocomplete can select the wrong “Dr. Lee”).
Use the approved secure method (e.g., encryption button, secure portal, or required subject line tag) exactly as policy states.
Write a minimal subject line that does not reveal health details. Prefer: Patient care question rather than HIV results.
Limit the body content to what the recipient needs to act.
Handle attachments carefully: attach only what is needed; confirm the file is correct; remove extra pages; consider password-protected documents only if policy allows and the password is shared through an approved separate method.
Re-check recipients right before sending, especially if you added anyone in CC/BCC.
Do not forward PHI to personal email to “work on it later.” Use approved remote access or secure systems instead.

Compliant vs. non-compliant examples (email)

Scenario	Compliant	Non-compliant
Sending discharge instructions to another facility contact	Email through approved secure method to verified facility address; attach only the needed pages; confirm recipient identity.	Forwarding discharge instructions to a personal email account to print later.
Scheduling follow-up	Subject: `Follow-up scheduling`; body includes only scheduling details needed; no diagnosis in subject.	Subject: `Post-op wound infection follow-up for Maria G.`

Recipient safety checklist (use before every send)

Did I pick the correct person from the directory (not a similar name)?
Am I sending to a group list that includes people who don’t need this?
Did I accidentally reply-all to a thread that includes external addresses?
Is the email going outside the organization, and if so, am I using the required secure method?

Texting: why it’s risky and when it is prohibited

Standard texting (SMS) is risky because it can be stored on devices, backed up to personal cloud accounts, previewed on lock screens, forwarded easily, and sent to the wrong number. Many organizations prohibit SMS for any PHI and require a secure messaging app instead.

When texting is typically prohibited

Any patient-specific clinical details (symptoms, diagnosis, meds, results, treatment plans).
Photos or videos of patients or body parts.
Discharge instructions or documents containing identifiers.
Messages to personal numbers when an approved secure tool exists.

What may be allowed (depending on policy)

Non-PHI logistics such as “Call me when you’re free” or “I’m in the supply room,” as long as it contains no patient identifiers or care details.

Compliant vs. non-compliant examples (texting)

Scenario	Compliant	Non-compliant
Need a quick callback	SMS: `Can you call me when available?`	SMS: `Call me about Mr. Jones in 3A—his CT shows a bleed.`
Sharing a wound update	Use approved secure clinical chat with limited identifiers and no photo unless allowed and necessary.	Texting a wound photo from a personal phone to a coworker.

Photos and videos: taking, storing, and sharing safely

Photos and videos are high risk because they often capture more than intended (faces, wristbands, charts, room numbers, monitor screens) and because personal devices may automatically back up images to cloud services.

Rules of thumb

Do not use a personal phone/camera for patient photos or videos unless your organization explicitly permits it and provides a compliant method (many do not).
Use only approved clinical photography workflows (e.g., an EHR-integrated camera feature or organization-managed device/app).
Capture only what is needed: frame tightly; avoid faces and identifying features when not necessary.
Never store patient images in personal photo galleries or personal cloud backups.
Do not share images through email, texting, or messaging apps unless the method is approved and required for care.

Step-by-step: photographing a wound (compliant workflow)

Confirm there is a care-related reason and that your role allows you to take the photo.
Use the approved device/app (organization-managed phone/tablet or EHR photo capture).
Prepare the scene: remove/cover wristbands, name cards, charts, and anything with identifiers; ensure no other patients are visible.
Frame tightly to the clinical area; avoid the patient’s face unless clinically required.
Upload directly to the approved system (EHR/media tab) and confirm it saved to the correct chart.
Do not keep a copy on the device; follow the app/device process that prevents local storage.
Document per policy (e.g., location of wound, date/time, measurement) rather than relying on the image alone.

Compliant vs. non-compliant examples (photos/videos)

Scenario	Compliant	Non-compliant
Wound photo for care team review	Using an EHR-integrated camera on a managed device; image goes directly into the patient chart; no identifiers in frame.	Photographing the wound on a personal phone “just to show the provider,” then sending it via standard text.
Educational sharing	Only through approved de-identification and authorization processes as required by policy; shared through approved channels.	Keeping an “interesting case” video on a personal device or showing it to friends/coworkers outside the care team.

Device hygiene: simple habits that prevent digital leaks

Many HIPAA problems come from everyday device habits: unlocked screens, shared logins, and notifications that reveal patient details.

Screen locks and auto-lock

Enable a strong screen lock (PIN/password/biometric as allowed).
Set auto-lock to a short time (per policy) so devices don’t stay open at nurses’ stations or in hallways.
Hide message previews on lock screens so PHI doesn’t appear in notifications.

No shared logins

Never share usernames or passwords, even with coworkers “just for a minute.”
Log out of EHR and messaging tools when stepping away, even briefly.
Use badge tap/fast user switching if your organization provides it, but still confirm you are in your own session.

Be careful with copy/paste and screenshots

Avoid copying PHI into notes apps, personal reminders, or unapproved task tools.
Do not take screenshots of charts or results unless policy explicitly allows it for a defined workflow.

Physical and environmental safety

Keep devices with you or secured; do not leave phones/tablets unattended in public areas.
Watch your surroundings: screens can be viewed over your shoulder in elevators, cafeterias, and waiting rooms.

Quick “before you message” checklist

Am I using an approved channel for PHI?
Did I choose the correct recipient?
Did I include only what the recipient needs to do their job?
Am I about to attach or paste something that contains extra identifiers?
Is my device locked down (screen lock, no previews, no shared login)?

Now answer the exercise about the content:

Which action best follows HIPAA best practices when sharing patient-specific clinical information digitally?

You are right! Congratulations, now go to the next page

You missed! Try again.

Patient-related details can be PHI even without a full name. The safest approach is to use an approved secure tool, confirm the correct recipient, and limit identifiers and content to what’s necessary.