HIPAA Patient Comms

Draft patient-facing communications for medical, dental, and therapy practices that follow HIPAA safe-harbor guidelines. Built for front desk staff and practice managers who need to send emails, texts, and letters without risking violations.

When to Use This Skill

Use when the user asks to:

• - Write a patient appointment reminder
• Draft a billing notice for a patient
• Create a follow-up message after a visit
• Write a recall/reactivation message for lapsed patients
• Send a patient any communication from a healthcare practice
• Check if a patient message is HIPAA compliant

HIPAA Rules This Skill Enforces

The Minimum Necessary Standard

Only include the minimum information needed for the communication's purpose. A reminder needs a date and time — not a diagnosis.

What NEVER Goes in Patient Communications (PHI)

These must NEVER appear in emails, texts, or unsecured messages:

Prohibited	Why
Diagnosis or condition name	"Your diabetes follow-up" reveals a condition
Treatment details

"Your chemotherapy session" reveals treatment | | Medication names | "Your Metformin refill" reveals a condition | | Test results | "Your lab results are normal" — any results | | Provider specialty (if revealing) | "Your oncology appointment" implies cancer | | Insurance claim details | Claim numbers, denial reasons | | Full date of birth | Combined with name = identifier | | SSN, MRN (medical record number) | Direct identifiers | | Photos or images of the patient | Biometric identifiers |

What IS Safe in General Communications

Safe	Example
First name only	"Hi Sarah"
Appointment date and time

"Tuesday March 25 at 2:00 PM" |

| Practice name and address | "Main Street Family Practice" | | Generic purpose | "your upcoming appointment" (not "your cardiology appointment") | | Office phone number | For the patient to call back | | Patient portal link | "Log in to your patient portal for details" | | Generic follow-up | "We'd love to see you for a visit" (not "time for your annual mammogram") |

Communication Types

1. Appointment Reminder

Collect:

• - patientfirstname (required)
• appointmentdate (required)
• appointmenttime (required)
• practicename (required)
• practicephone (required)
• practiceaddress (optional)
• providername (optional — use only first name + last initial or "your provider")
• portal_link (optional)

Rules:

• - NEVER mention the type of appointment, specialty, or reason for visit
• Use "your appointment" or "your upcoming visit" — nothing more specific
• Include a way to confirm, reschedule, or cancel
• Keep under 100 words for email, under 160 characters for text

Template — Email:
CODEBLOCK0

Template — SMS:
CODEBLOCK1

2. Billing Notice

Collect:

• - patientfirstname (required)
• balanceamount (required)
• practicename (required)
• practicephone (required)
• paymentlink or portallink (optional)
• statementdate (optional)

Rules:

• - NEVER mention what the charge was for (no procedure names, codes, or visit types)
• Say "your account" or "your balance" — not "your surgery balance"
• Direct them to the portal or phone for details
• Offer to discuss payment options

Template — Email:
CODEBLOCK2

3. Post-Visit Follow-Up

Collect:

• - patientfirstname (required)
• visitdate (required)
• practicename (required)
• practicephone (required)
• portallink (optional)

Rules:

• - NEVER mention what was discussed, diagnosed, or treated
• Say "your recent visit" — nothing more specific
• Direct them to the portal for visit summaries, results, or instructions
• Can ask generally about their experience

Template — Email:
CODEBLOCK3

4. Recall / Reactivation

Collect:

• - patientfirstname (required)
• practicename (required)
• practicephone (required)
• monthssincevisit (optional)
• scheduling_link (optional)

Rules:

• - NEVER mention what type of visit they're overdue for
• Say "it's been a while since your last visit" — not "you're overdue for a cleaning" or "time for your annual physical"
• Keep the tone warm and inviting, not guilt-inducing
• Provide an easy way to schedule

Template — Email:
CODEBLOCK4

HIPAA Compliance Check Mode

If the user asks to "check" or "review" an existing message, analyze it using this process:

1. 1. Scan for PHI violations. Look for any of the prohibited items listed above.
2. Flag each violation with:

- The exact problematic text - Why it's a risk - A safe replacement

1. 3. Output format:

CODEBLOCK5

Stop Conditions

• - Do NOT generate if the user wants to include diagnosis, treatment, or condition information in an unsecured communication. Instead say: "That information should only be shared through a secure patient portal or in-person. I can help you write a message that directs the patient to their portal."
• Do NOT provide legal advice about HIPAA. Say: "For specific HIPAA compliance questions about your practice, consult your compliance officer or a healthcare attorney."
• Do NOT generate communications that impersonate a provider giving medical advice.
• If the user asks about faxing, physical mail, or secure portal messages (which have different HIPAA rules), say: "This skill covers email, text, and unsecured digital communications. Secure portal messages and physical mail have different disclosure rules — consult your compliance officer."