Can patients opt out of HIPAA compliant communication?

Healthcare providers rely on communication for everything from scheduling appointments and delivering test results to managing chronic conditions and sharing vital health updates. This communication takes place through secure, HIPAA compliant channels like encrypted email and secure messaging systems. These tools are designed to protect sensitive health information while making communication faster and more efficient.

But what happens when a patient doesn’t want to use these platforms? Can they say no to receiving information through HIPAA compliant email? The answer is yes, patients can opt out. However, this seemingly simple choice involves a range of legal, operational, and ethical considerations for healthcare organizations.

Understanding HIPAA compliant communication

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was established to protect the privacy and security of individuals’ health information. HIPAA compliant communication refers to any form of communication that meets the standards set by the HIPAA Privacy Rule and Security Rule. These communications are designed to safeguard protected health information (PHI) and include:

• Encrypted email systems
• Secure messaging apps and platforms
• Secure voice or video calls
• HIPAA compliant text messaging systems

The goal of these technologies is to ensure that PHI is not improperly accessed, altered, or disclosed during transmission. However, HIPAA compliance isn't just about technology; it’s also about respecting patient autonomy and preferences.

Read also: Elements of a HIPAA compliant communication strategy

Patient rights under HIPAA

HIPAA not only protects health information, it also empowers patients. Two provisions in particular are relevant here:

Right to request alternative communication methods

The HIPAA Privacy Rule (§164.522(b)) states that “a covered health care provider must permit individuals to request and must accommodate reasonable requests by individuals to receive communications of protected health information from the covered health care provider by alternative means or at alternative locations.” This means patients have the right to request that providers communicate with them in a specific manner or at a certain location. For example, a patient might ask that all communications be sent to a P.O. Box instead of their home address, or they may request that phone calls only occur after 5 p.m.

Furthermore, this means that if a patient requests to opt out of email or text, even if those methods are HIPAA compliant, the provider must generally honor that request unless it presents an unreasonable burden.

Right to revoke consent

The US Department of Health and Human Services (HHS) states that “The Privacy Rule gives individuals the right to revoke, at any time, an Authorization they have given.” Thus, even if a patient initially agrees to receive electronic communication, they can revoke that consent at any time. Once revoked, providers must stop sending communications through that channel. However, “The revocation must be in writing, and is not effective until the covered entity receives it. In addition, a written revocation is not effective with respect to actions a covered entity took in reliance on a valid Authorization, or where the Authorization was obtained as a condition of obtaining insurance coverage and other law provides the insurer with the right to contest a claim under the policy or the policy itself.”

Learn more: 

• What to do when an individual revokes authorization
• What are patient rights under HIPAA?

Reasons why patients may opt out

Although HIPAA compliant communication is designed to be secure, some patients may still have valid concerns or preferences that prompt them to opt out. These include:

• Distrust of digital platforms: Despite assurances of encryption and compliance, some patients may remain wary of data breaches or unauthorized access. Their hesitation may be shaped by real-world events. For example, according to the U.S. Department of Health and Human Services Office for Civil Rights (OCR), in the first half of 2025, U.S. healthcare organizations reported 311 data breaches that involved 500 or more individuals. These incidents affected over 23 million individuals. Most of these breaches were caused by hacking and IT incidents.
• Privacy at home or work: Patients may worry that family members, coworkers, or others could gain access to electronic communications, especially if shared devices or email accounts are used. They may prefer paper mail or phone calls as more private alternatives.
• Technological barriers: As of April 2025, 94% of the American population have access to the internet. Although this accounts for a large portion of the population, it still means that not all patients have access to smartphones, computers, or reliable internet. Others may lack the digital literacy needed to use portals and secure messaging tools effectively.
• Cultural or personal preferences: Some individuals may simply feel more comfortable with traditional methods of communication. They may find digital communications impersonal or difficult to navigate.

Can providers deny communication alternatives?

While HIPAA requires providers to accommodate reasonable requests, they are not obligated to honor every request if it creates undue hardship.

What counts as “reasonable”?

The term “reasonable” is not strictly defined by HIPAA and often depends on context. For example:

• If a patient asks to receive test results only via postal mail, and the provider is equipped to do so, that request should be granted.
• If a patient insists that all communication happen via handwritten letters delivered by courier, the provider may reject the request as unreasonable.

Providers may need to demonstrate that alternative methods do not compromise the security of PHI and are feasible within their operations.

Read also: Choosing a communication platform for patients

Responsibilities of covered entities

When a patient opts out of HIPAA compliant communication, covered entities must update internal systems to reflect the patient’s preferences and ensure staff compliance.

Steps to take

1. Document the request: The patient’s communication preferences should be clearly documented in their medical record.
2. Train staff: All staff members who interact with the patient should be informed of the opt-out and trained on the alternative communication method.
3. Verify alternative contact methods: Ensure that the patient’s alternative contact method (e.g., a different phone number or address) is valid and secure.
4. Review and update policies: Providers should periodically review their HIPAA policies to ensure they remain compliant while also respecting patient autonomy.

See also: Covered entities' responsibilities for HIPAA compliant email

Consequences of ignoring patient preferences

Failing to honor a patient’s opt-out request can have serious consequences:

• HIPAA violations and penalties: If a provider continues to send communications through a channel the patient has explicitly rejected, it could be considered an unauthorized disclosure under HIPAA. This opens the door to:
  • Civil penalties (ranging from $141 to $71,162 per violation)
  • Criminal penalties in cases of willful neglect or malicious intent
  • OCR investigations and audits
• Loss of trust: Experts at Wolters Kluwer analysed a survey by the American Board of Internal Medicine Foundation (ABIM) commissioned NORC at the University of Chicago that looked at trust in the U.S. health care system among the public and physicians. This survey revealed that “64% completely/somewhat trust” their physicians. Of those who didn’t trust their physicians, 14% of them didn’t trust their physicians because they were not heard. Ignoring a patient's stated preference can result in dissatisfaction, missed appointments, or even the patient leaving the practice.

What happens after an opt-out?

When a patient opts out of HIPAA compliant digital communication:

• Alternative methods must be used: Phone calls, postal mail, or in-person discussions.
• Communication may be slower: Traditional methods may introduce delays in delivering test results or appointment reminders.
• Providers must balance compliance and practicality: They must ensure PHI remains protected, even if communicated through less advanced methods.

See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)

FAQS

Does opting out mean no communication at all?

No. It simply means communication must occur through alternative, agreed-upon methods.

Can a patient change their mind and opt back into digital communication?

Yes. Patients can revoke their opt-out at any time by informing their healthcare provider.

Are providers required to offer alternative communication methods?

Providers must accommodate reasonable requests but are not obligated to support methods that cause undue burden.