Estimated reading time: 8 minutes.
Summarize this article with ChatGPT
You've probably heard colleagues call it "the HIPAA waiver." It's the document that clients sign when they want to communicate via regular email or text. Most often, this comes up for things like scheduling, billing reminders, or quick logistical questions.
The important truth is this: HIPAA itself cannot be waived.
TL;DR: A HIPAA waiver does not waive HIPAA. When a client requests non-secure communication, they are making a Request for Alternative Communication under the Privacy Rule. This only applies to specific low-risk messages and does not remove your responsibility to safeguard PHI, use services with a BAA, or keep a secure option available.
What clinicians commonly call a "HIPAA waiver" is actually a client's written Request for Alternative Communication. This type of client request for non-secure communication is allowed under the HIPAA Privacy Rule. This request allows the client to ask for a method of communication that does not meet the HIPAA Transmission Security Standard for certain low-risk communications, such as scheduling or simple billing questions, sent via unencrypted email.
π‘ What is the HIPAA Transmission Security Standard?
The Transmission Security Standard is the HIPAA rule that protects electronic health information while it's being sent.
It requires practitioners to guard against unauthorized access so ePHI can't be intercepted, changed, or read while it's being sent, such as when sending email.
But this request does not waive your HIPAA obligations. It simply documents the client's preference for specific types of messages delivered via a less secure channel. All other requirements remain in place: you still must protect PHI, use services with a BAA, and keep a secure option available at all times.
As Liath Dalton, Director of Person Centered Tech, explains:
"When a client requests non-secure communication, they're not waiving HIPAA. They're only waiving the guaranteed encryption required under the Transmission Security Standard for that specific transmission. Everything else β including your responsibility to use systems with a BAA and to safeguard PHI β stays firmly in place."
Liath Dalton, Director, Person Centered Tech
In this guide, we'll clarify what a Request for Alternative Communication (the so-called "HIPAA waiver") actually does, what it doesn't do, and how to set up a simple workflow that keeps you HIPAA compliant.
| What the request does | What the request doesn't do |
|---|---|
| β Waives only the Transmission Security Standard | β Waive HIPAA as a whole |
| β Documents the request to use an unencrypted channel for certain low-risk messages. | β Allow clinical details to be sent via non-secure channels |
| β Allows switching back anytime | β Lock preferences permanently |
| β Shows that the request was voluntary and understood. | β Replace your documentation duties |
Clients have a right under the Privacy Rule to request alternative communication, but they can't make a meaningful choice if no secure method is available.
As Liath Dalton notes:
βYou can't offer a client the option to request alternative communication unless you also have a secure method available. Otherwise, there's no real choice β and the rule is built around client choice.β
Liath Dalton, Director, Person Centered Tech
It helps to have one place where secure and non-secure communication work together. This keeps things simple when a client changes their preference, and you don't have to juggle different systems or worry about which option you used last.
You must still use a service that provides a BAA, even when sending unencrypted messages, because the communication still involves PHI.
Hushmail meets this requirement and allows you to toggle encryption based on your clients' requests.
Adding the form to your intake process helps keep it clear and predictable.
A well-designed Request for Alternative Communication form should:
Anatomy of a Request for Alternative Communication form:
π‘ Need a template?
Person Centered Tech offers a free Request for Non-Secure Communication form you can customize for your practice.
Preference changes must be added to the client's clinical record (typically in your EHR).
When a client wants to return to secure communication, keep it simple. A verbal or written request should be enough to update their preference.
As Dalton emphasizes:
βEven at first contact, if someone reaches out about future healthcare services, that information is PHI β and it must be protected. Secure forms aren't optional; they're essential.β
Liath Dalton, Director, Person Centered Tech
Offering both secure and non-secure (client-requested) options isn't just a compliance requirement. It demonstrates your commitment to privacy, respect, and informed client choice.
And with the right tools and process, it doesn't have to be complicated.
Ready to simplify your secure communication workflow?
What is the so-called "HIPAA Waiver"?
What clinicians commonly call a "HIPAA waiver" is actually a client's written Request for Alternative Communication, permitted under the HIPAA Privacy Rule.
Does the waiver cover all communication with a client?
No. It specifies that certain types of low-risk information, such as scheduling or billing, can be sent over unencrypted channels. Sensitive clinical details shouldn't be sent non-securely, even with a signed request.
What if a client wants to switch back to secure communication?
You should accommodate their preference. A simple request, by email or in conversation and documented, should be enough. Your workflow should make this easy.
How long is the waiver valid?
It depends on what's in the form. You can set a termination date or tie it to an event, such as the end of treatment. Clients can also revoke it at any time.
Reviewed by: Liath Dalton, Director of Person Centered Tech, and Steven O. Youngman, VP of Legal and Compliance, Hushmail.