Contents
Is texting HIPAA compliant? Consideration 1: be careful of PHIIs texting HIPAA compliant? Consideration 2: combine SMS with your patient portalBest practices for texting patients to avoid a HIPAA violationHow can you best take advantage of texting patients in light of HIPAA?Summary FAQ on HIPAA Compliance for TextingHow do I set up texting for healthcare?HIPAA.
(Also known as the Health Insurance Portability and Accountability Act of 1996. But you don’t need me to tell you that.)
HIPAA’s regulations are always on healthcare providers’ minds. With its strict (and sometimes complicated) rules, you want to make sure you’re in full compliance.
One area in which HIPAA compliance can be tricky is texting.
Let’s say you want to text patients at your healthcare-related facility—whether that’s a doctor’s office, a clinic, a hospital, or anything in between.
You recognize that texting is one of the best ways to really reach people (with a 98% read rate). But you’re just not sure how to go about texting while still maintaining compliance.
You wonder… is texting a patient a HIPAA violation?
Never fear! There are ways to get the best of both worlds—to take advantage of texting while also staying in line with HIPAA’s privacy regulations.
Let’s walk through it.
The short answer to the question of “is texting a patient a HIPAA violation” is no. It is not inherently a violation of HIPAA to text patients.
That being said…
If you haven’t received consent to send unencrypted messages, you just need to make sure that you’re not including PHI (protected health information) in your texts.
Why? Because SMS by nature is not encrypted.
Texting services that claim to be encrypted are typically using workarounds, such as a secure messaging app, rather than directly using SMS.
So you can text a patient and take advantage of that powerful medium to get whatever message you need to get in front of them. But you can’t include PHI specifically within that message.
The question then may be asked, “So is texting even worth it if I can’t include any PHI?”
The answer is that you can send messages that are still beneficial, as long as it’s carefully worded without reference to any identifiable information.
And there are also a few other ways texting can be beneficial even in light of PHI regulations (see below)...
You can ask patients for consent to receive unencrypted messages; you’ll just have to go through a 3-step process to officially obtain that consent.
Once you’ve received their consent, you can send them unencrypted SMS without an issue.
Although not all patients will be comfortable providing consent, many patients will prefer the convenience of SMS so they won’t mind waiving some of their HIPAA rights.
What if you want to use texts to communicate information that contains PHI, and you don’t have prior consent? Is there still an option for you?
The answer is yes!
Many healthcare services have a secure patient portal that they use to communicate important messages with patients.
The problem is, how do you get patients to actually check the portal?
This is where texting can help, even if you need to communicate to a patient regarding PHI. You can simply send them a text letting them know they have a new message in their portal, with a link for them to log in.
Going about texting your patients in this way gives you the best of both worlds—you can send them secure information while also taking advantage of that 98% read rate provided by texting.
Here are a few tips to help make sure you’re texting patients compliantly.
As mentioned previously, patients can give you consent to receive unencrypted messages, in which case you don’t have to worry about not including PHI in your texts.
TheHIPAATool.com describes the 3-step process that you must follow in order to properly receive consent.
You’ll need to make sure your employees have enough training so that they know what kinds of texts they can send and what information is appropriate to provide in appropriate circumstances.
They’ll need to know not to send PHI to patients who haven’t provided consent, and they’ll need to know your process for keeping track of who has or hasn’t provided consent.
As with anything else in the medical field, you’ll want to keep careful records of who has provided consent for unencrypted messages so that you can keep better track of things.
You’ll want to be very careful about all of this, so it’s best to have a limited number of employees in charge of sending these texts.
Even if you're personally following all the HIPAA regulations, you need to make sure that the texting software you use abides by HIPAA standards as well.
Specifically, make sure they store the data securely and that they're willing to sign a BAA ("Business Associate Agreement").
In light of all the details mentioned above in regards to HIPAA, as long as you’re careful to follow the rules, you can still make good use of texting to engage your patients.
If you have consent to send unencrypted messages, you can send texts like the following:
“Reminder: You have an appointment today at 11:10am. Reply to this message or call 402-718-8843 if you have any questions.
“Just a reminder that your appointment is tomorrow at 2:20pm. Please click here if you need to reschedule or cancel: http://mbltxt.com/zFf
“Hello! This is a friendly notice that you have a past due invoice for services provided by Nebraska Pediatrics. View your invoice here: http://mbltxt.com/zFc
“3rd notice: Your invoice for services at Lincoln Medical Center is 90 days past due. Please call 800-545-8768 to pay.
“Don’t forget to take your prescribed medications this week! Let us know if you have any questions or concerns by replying to this text or by calling 888-429-2200.
“Have you taken your meds today? :)
“Hello, this is Lancaster Regional Hospital, following up on your recent stay. Please click this link to take a quick survey on your experience, and we’ll enter you into our monthly drawing for a $100 Amazon gift card: http://mbltxt.com/zFa
“Hello! This is Dr. Allison’s office. We just wanted to check up on you. Any questions or concerns? Let us know by replying to this text!
“Extra nurses needed for night shift tonight! Please reply YES if available.
“Team meeting today at 2:00pm.
Those are just a few examples of the types of texts you can send.
If you don’t have consent to send unencrypted messages, you can submit messages like that into your patient’s secure portal and you can send a notice to “click here to view your secure message.”
Here are some brief summaries to answer some of the questions addressed above.
Yes, there is a HIPAA-compliant way to go about texting. Specifically, you must make sure not to include PHI and make sure your texting provider stores patient information securely and signs a BAA.
Alternatively, you can get permission from your patients to send PHI unsecurely over text message.
As mentioned above, HIPAA compliant text messaging would not include PHI and would be sent via a provider that signs a BAA.
For example, you could send a notice that a patient has an update in their patient portal, including a link to log in. Or you could send a reminder of an upcoming appointment.
If you get permission from your patients to send PHI via text message, you have more freedom in the kinds of messages you can send.
One example of a HIPAA compliant texting app is our service Mobile Text Alerts.
With Mobile Text Alerts, data is stored securely and we can sign a BAA.
You’ll first want to try out an SMS platform to get a feel for how it works.
(Try the Mobile Text Alerts platform for free for 14 days.)
You can get a free walkthrough and consultation with an SMS expert who can help answer any other questions you may have as well.
Work with your team to have a plan in place for your SMS communication.
Make sure people know who’s in charge of what, and that you have safeguards in place to make sure no one accidentally shares PHI.
The more planning you do ahead of time, the more prepared your team will be to implement your texting efforts.
Set up segmented lists within your texting platform of people that you’ll be texting, so that you can organize your texting efforts.
For example, you could put people who have given permission to receive unencrypted messages in one group and those who haven’t given permission in another. Or you could have groups for “patient follow-ups,” “appointment reminders,” or other similar categories. You could also have a group for internal team notices.
Having these groups will help you organize your list so that you send the right messages to the right people.
(You can import your lists directly into your SMS platform via spreadsheets. You can also use Zapier.com or API to set up integrations that will help you automatically put contacts into your text list.)
Once you have a contact list ready to go, you can start sending or scheduling messages.
You can do this within your SMS platform by simply selecting your recipients, typing out your message content, and selecting the time you’d like the message to go out.
If you want to integrate messaging to correspond with certain events, such as appointments, you may be able to connect your current services to the texting service via the integration site Zapier.com, or you can use API to program your own integrations.
After messages are sent, you can view reporting for those messages within your online dashboard.
You can also view any responses patients send in to your texts from an online inbox. The inbox also allows you to respond back to messages.
Get your own text alert system to text your patients—try it for free now (no credit card required).
--
Disclaimer: The information provided in this article is for educational purposes only and should not be considered legal advice. It is recommended to consult with legal professionals or HIPAA experts to ensure compliance with current regulations and guidelines.
Start sending mass text messages to your entire list today!
GET FREE TRIAL