HIPAA requires you to make patients aware of the risk of communicating their PHI via an unsecured channel and to obtain their consent prior to doing so. If the patient is not comfortable discussing their PHI over text or email, you should move the conversation to a secure method such as a phone call, secure patient portal, or in-office visit..