When the General Data Protection Regulation (GDPR) came into being in Europe on May 25, 2018, Europeans were suddenly covered by some of the world’s strictest data protection rules.
Since then, other consumer privacy laws have come into effect. For example, the California Consumer Privacy Act (CCPA) is similar in spirit to the sweeping EU law.
Healthcare organizations in the US are ahead of the curve. They’ve been subject to high standards for managing and protecting sensitive patient data and communications since 1996.
These standards apply because of the Health Insurance Portability and Accountability Act (HIPAA).
The stakes are high here. Penalties for violating HIPAA can run as high as $50,000 per day. It’s no wonder we get a lot of questions about whether texting is HIPAA compliant.
Given that carriers can review text messages and phones can be lost, you can’t send text messages that include any patient identifiers.
Thankfully, there are a lot of compliant ways that healthcare organizations can use SMS.
To understand when SMS text messaging is HIPAA compliant–and when it’s not–we put together this article that provides HIPAA guidelines for texting.
- What Is HIPAA?
- What Are the HIPAA Guidelines for Texting Patients?
- Examples of HIPAA Compliant Texting
- Understand If Texting Is the Right Communication Method for You
Please note that this advice is for informational purposes only and is neither intended as nor should be substituted for consultation with appropriate legal counsel and/or your organization’s regulatory compliance team.
What Is HIPAA?
HIPAA was signed into law nearly 25 years ago. The legislation provides security provisions and data privacy, with the ultimate aim of ensuring that patients’ medical information is safe.
The act contains five sections, or titles. Title II, the Administrative Simplification (AS) Act, explicitly covers how organizations manage and protect patients’ health information.
The ultimate goal is to ensure that the information is protected and stored securely, even when in transit. (An example of data or information in transit includes sending a text message to another user, or web browsing over a wireless connection.)
The AS Act also determines what HIPAA compliant text messages are. While there’s quite a bit to this title, the main thing to know is that it highlights protected health information (PHI).
PHI refers to all individually identifiable health information. That can be biometric identifiers such as fingerprints, or even your birthday. If you want more information on PHI and healthcare communications, this article from the US Department of Health and Human Services is a reliable resource.
Are There HIPAA Guidelines for Texting?
Most misunderstandings surrounding HIPAA compliant texting come from the complicated legalese in the Privacy and Security rules.
There is no explicit mention of texting, but those rules do set out specific conditions that apply to electronic communications in the healthcare industry.
These conditions are where information that contains personal identifiers–PHI–comes into play.
While HIPAA compliance does not say you must avoid sending PHI by text, for your text messages to be compliant, certain texting safeguards need to apply at rest and in transit. Encrypted messaging is necessary for HIPAA compliant messages.
Text messages go through the various carriers, and gateway providers. Then at “rest,” data is stored on the specific handsets that received the messages–not just our servers.
This is problematic because mobile devices can be lost or stolen, exposing PHI to unauthorized access and individuals to identify theft. Therefore, SMS is not strictly HIPAA compliant.
But, and this is a big but, there are certain kinds of texts that you can send that are HIPAA compliant.
What Is HIPAA Compliant Texting?
The best way to ensure that your text messages are HIPAA compliant is to not include any personal identifiers in your texts. Here are a couple of examples where texting is HIPAA compliant:
1. Appointment Reminders
By asking patients to confirm appointments via text, you can cut back on the large percentage of people who forget to cancel or reschedule. No-shows are a big headache for medical professionals.
As you can see in the example above, there is no mention of the specialty of the provider or the patient’s name. Neither is the reason for the appointment, the treatment the patient is coming in for, or the medicine they are taking.
2. Interoffice Communications
Communication in healthcare organizations is not just between healthcare professionals and patients.
You can save administrative time by using text messages to notify your staff of schedule changes or other organizational updates.
3. Send Prescription Reminders
According to the Food and Drug Administration, 50% of prescribed medication isn’t taken as directed by doctors and pharmacists. Care teams can improve patient care by reminding patients when it’s time to take their prescriptions–in a way that doesn’t include any PHI. You can also see SMS delivery reports, the closest thing to read receipts.
These are only a handful of examples of transactional messages where no personal identifiers are mentioned.
You can also alert patients to new test results (but keep those results in a secure portal protected by a password), gather feedback from patients, and get shifts covered.
Other Instances Where Text Messaging Is HIPAA Compliant
All of the above HIPAA compliant text messages don’t include PHI. However, there are certain instances where it is allowed:
1. Texting patient information to patients is allowed by HIPAA, provided the organization has warned the patient that the risk of unauthorized disclosure exists and has obtained the patient’s consent to communicate via text. This communication must be clearly documented.
2. The US Department of Health and Human Services (HHS) announced on March 17, 2020, that it would waive potential HIPAA penalties for healthcare providers that serve patients through everyday communications technologies during the COVID-19 nationwide public health emergency.
This exception is not unprecedented. The HHS has waived the HIPAA rules for text messaging after natural disasters such as earthquakes or hurricanes.
HIPAA Compliant Texting FAQ’s
We’ve laid out the framework for HIPAA-safe text messages here, but you may still have some questions. Here are the FAQ’s we hear most often.
Is it against HIPAA to text patients?
Not if you follow the guidelines in this article. As long as you include the right information about unauthorized disclosure risks and encrypt your messages, you’ll be all set.
If you want to be double-sure your messages are compliant, keep identifiable, personal patient information out of your texts.
What is HIPAA compliant messaging?
HIPAA compliant messaging is any message sent to your patients that:
- You send with the patient’s consent
- Includes a notice about the risk that information might be disclosed without their authorization
- Is encrypted
How do I send a HIPAA compliant text message?
Easy! Set up a standard format for your messages within your texting platform that includes all the components we’ve mentioned here.
You can easily set up a series of texts with a Keyword or with autoresponders that sends out your notice of risk of unauthorized disclosure and your compliance message before you send texts with (or without) actual patient information in them.
Is Medical Texting Right for You?
Texting is a quick, practical way to get in touch with patients or staff when you need to send a doctor appointment reminder, a general alert, or any important message.
It’s less involved than phone calls and more formal than the likes of Facebook Messenger. The catch is that you need to be careful about sending texts that include PHI.
We understand that this might still all seem a bit overwhelming. Even the most experienced healthcare practices can get tripped up by the complexities of HIPAA requirements and secure text messaging. That’s why it’s essential to partner with an experienced text messaging platform or HIPAA compliant texting app.
Helpful Features for HIPAA Compliant SMS
Using a texting platform to send HIPAA compliant messages comes with a lot of benefits, including specialized tools you can use to make texting patients the easiest part of your day.
These are our top three tools for healthcare providers.
Autoresponders
Autoresponders are messages that you set to send at a specific time after new contacts sign up to receive your texts.
That means you can set up messages that contain all the necessary details for HIPAA compliance immediately after new contacts join your texting lists.
Using autoresponders will help you reduce the risk of forgetting to send out those details, and it’ll also lighten your workload.
Scheduled Messages
These are perfect for sending out appointment reminders and prescription notification texts to your patients.
Just schedule out each patient’s reminders using the clock icon within your TextP2P Inbox and move on to the next task–your patients will get their text when it’s time to get ready for their appointment or take their medication.
Lists
For less privileged communications, like communicating sudden office closures or letting patients know that a different doctor will be replacing their usual provider that day, lists can come in handy.
Lists are just groups of contacts that have something in common. You could have a group of contacts that go to the same practice location or who receive the same type of care.
Using segments helps you get messages to contacts who will want to see them, and avoid sending out overly generalized texts.
The Final Word on HIPAA Texting
We have years of experience helping healthcare organizations send text messages and are happy to answer any further questions you may have.
Comments
0 comments
Please sign in to leave a comment.