At a Glance
- Patients generally prefer texts over calls, but HIPAA compliance requires secure, encrypted messaging and written patient consent, especially for texts containing personal health information (PHI).
- Text messaging in healthcare can be HIPAA-compliant with careful implementation, including obtaining patient consent, using secure platforms, and avoiding PHI in messages.
- Texting is an efficient way to engage patients through appointment reminders, aftercare instructions, and satisfaction surveys, enhancing patient experience while respecting privacy and confidentiality.
Staying Health Insurance Portability and Accountability Act (HIPAA)-compliant is becoming ever more challenging, including when it comes to HIPAA-compliant text messaging. Statistics indicate:
- 98% of all American adults own a mobile phone
- 98% of all text messages are opened
- 20% of all sent emails are never opened
- On average, 1-5% of text messages sent are never received by the intended recipient, resulting in a 95%-99% successful delivery rate
- 93% of survey participants trust the information in text messages more than emails
The potential for breaches, gaps, or incorrect deliveries in these technological communication methods likely proverbially keeps some staff members at the U.S. Department of Health and Human Services (HHS) up at night.
Interestingly, HIPAA doesn’t spell out guidance about texting with patients. Instead, the act's electronic communication security standards refer to all electronic communications.
Therefore, while this piece will focus on text messaging, these rules and suggestions apply to all electronic communications with patients and colleagues.
Patient-centered communication through secure texting
Most adults prefer to receive texts over phone calls, so the challenge is determining if that is allowable. And if texting patients is HIPAA-compliant, how can practices implement it?
Is texting a patient HIPAA compliant?
Unfortunately, there isn't a straightforward answer to whether texting patients complies with HIPAA. However, the right path involves:
- The patient's written consent on file they prefer to receive text messages that don't contain any personal health information (PHI)
- The means to send secure (ideally encrypted) messages
- A notification included with the message about the risk of an unauthorized party accessing the patient's PHI
Follow the Department of Health and Human Service's (HHS) guidelines for HIPAA-compliant texting. When obtaining a patient's written consent, it's imperative to incorporate the option to confer with colleagues regarding the patient's case via text message.
The role of texting in patient satisfaction
Nobody wants to feel like they're just a number on a chart or a dollar sign filling an appointment slot. While somewhat generic, text messages give patients the feeling of personal attention because texting is perceived as a one-on-one endeavor.
Patients also appreciate receiving appointment reminders via text because they have an easy-to-retrieve message they can readily add to their electronic calendar.
Successful patient engagement strategies via texting
Appointment reminders aren't the only use for text messaging. Other processes that include text messaging can create multiple efficiencies. Examples include:
- Aftercare compliance reminders to patients and their approved caregivers
- Reminders to schedule routine procedures, such as vaccine updates
- Recall reminders that annual or follow-up visit appointments need to be scheduled
- Reminders of scheduled appointments
- Brief patient satisfaction surveys
Effective communication is a 2-way dialogue. In fact, practices can set up 2-way texting with the right tools (more on this later). This will allow providers to have a brief dialogue with patients. However, providers still need to be wary of disclosing PHI.
Tip: If 2-way texting feels like a bad fit for a given practice, engage patients with patient portal messaging instead.
Feedback loops: Incorporate patient input to improve texting
Patient satisfaction surveys are not limited to covering the care patients received during an appointment. Surveys are also a way to collect feedback about practice communication methods, including text messaging.
This feedback is just as valuable as information about staff interactions or the patient experience. Asking brief questions about how patients experience the texting process will indicate the method's effectiveness.
The pillars of HIPAA-compliant texting in healthcare
It’s important to keep patients' personal information confidential and maintain their trust. In that vein, HIPAA-compliant texting is possible, but some safeguards are necessary.
HIPAA basics for compliant text communications
Things to consider when implementing a HIPAA-compliant texting process for a medical practice include determining if the practice will use only outbound or 2-way text messaging and implementing:
- Secure communication protocols
- Risk assessment and review processes and schedules
- Policies and procedures to guide staff members about what is and isn't allowed
Ultimately, ensure that any texting or messaging between provider, practice, colleagues, and patients is secure and not stored on a platform accessible by others. For example, cell phone carriers store data sent to and from a phone, tablet, or any other device attached to a given plan. Therefore, it is imperative to encrypt communications.
Additionally, if a patient connects to a public WiFi network (like those available to patients in many waiting rooms or coffee shops), their connection is insecure and vulnerable to attack. Therefore, it's critical to choose a platform that uses HIPAA-compliant short message service (SMS) texting processes.
The fines for non-compliance can be significant and are detailed below.
Select the right HIPAA-compliant messaging platform
HIPAA's communication standards apply to all electronic patient communications, including:
- Text messaging
- Patient portal processes
- Telehealth visits
- Email messages
This means practices must invest in a sound electronic firewall for their data servers to provide adequate security and privacy of patient data stored on their platforms.
“Conduct thorough due diligence for any platform. It is the practice, not the platform, that will bear final responsibility for data security.”
Conduct thorough due diligence for any platform. It is the practice, not the platform, that will bear final responsibility for data security.
A HIPAA-compliant platform will:
- Ensure data security via encryption so that messages are unreadable if unauthorized parties intercept them
- Consistently and routinely monitor and stress test its security measures, immediately address breaches, and communicate them to all impacted
- Offer varying levels of platform access
- Authenticate all users who request platform access
- Track use to provide histories
- Offer access on multiple devices
Seek a user-friendly system with proven technical support that works on mobile devices and computers, such as Tebra.
Critical considerations of text messaging for healthcare practices
As a heavily regulated industry, it shouldn't be surprising that HIPAA compliance as part of practice electronic communications is serious business. It is vital that independent practices develop policies and procedures around text messaging, as well as around staying up-to-date and in compliance. It is also vital to develop risk management practices and associated audit processes.
“It is vital that independent practices develop policies and procedures around text messaging, as well as around staying up-to-date and in compliance.”
Essential policies to implement to ensure compliant text messaging
As a medical practice prepares to implement a secure platform for HIPAA-compliant text messaging, the practice must execute associated internal policies and procedures on how and when texting can be used. These policies also need to outline the foundation of the practice's risk management process surrounding HIPAA-compliant electronic patient communications.
Policies and procedures should be explicit about the requirement that those messages should only include non-PHI content.
Examples of PHI information include:
- Name
- Address
- Other personal contact information, including phone and fax numbers and email address
- Social security number
- Insurance information
- Medical record numbers
- Payment information or links to payment mechanisms
- IP addresses
- Biometric identifiers
Practice policy should also discuss how to correctly dispose of electronic equipment used for patient information or communication. Wipe all information from any device before exchanging it for new equipment.
Part of staff training on sending text messages should specify what devices and platforms can be used to send text messages and who is authorized to send them. For HIPAA compliance purposes, have employees sign paperwork stating they have read and understand the policy and how to use the system.
As part of the practice’s annual internal risk management process, test and audit this process to confirm the practice is in compliance. No practice wants to be found lacking if HHS's Office for Civil Rights drops in to perform a surprise audit.
What happens if a practice doesn’t meet HIPAA compliance?
There are fines for HIPAA non-compliance. And those fines can be steep and include the potential for legal ramifications.
The AMA provides the following information regarding the level of culpability, minimum and maximum fines for each violation, and the maximum annual penalty limit.
Penalty tier | Level of culpability | Minimum penalty (per violation) | Maximum penalty (per violation) | Maximum annual penalty for repeat violations |
1 | Lack of knowledge | $100 | $50,000 | $25,000 |
2 | Reasonable cause | $1,000 | $50,000 | $100,000 |
3 | Willful neglect | $10,000 | $50,000 | $250,000 |
4 | Willful neglect not corrected within 30 days | $50,000 | $50,000 | $1,500,000 |
Fines are not where the danger ends, though. On behalf of impacted patients, individual states' attorney general can also file civil charges against violators. If the offense is egregious, violators may face criminal charges.
Ethical texting practices that respect patient privacy
Licensed physicians are no strangers to maintaining exemplary ethics, including patient confidentiality.
It is important not only to keep patients’ information secure to ensure their privacy, but also to treat all patients equitably.
While texting is a potential communication method, remember that not all patients have access to or are comfortable with this technology. Therefore, it’s critical to have multiple communication options and to tailor to each patient’s comfort and access.
Examples of HIPAA-compliant vs. noncompliant text messages
It may seem that there are too many stringent parameters around texting. With that in mind, here are some examples of text messages that fit HIPAA’s standards.
HIPAA-compliant text | Noncompliant text |
“Hi, you have an appointment today at 4 pm with Dr. K. Reply Y to confirm.” | “Hi James, you have an appointment scheduled with Dr. Kensington at 4 pm today. Reply Y to confirm.” |
“Hi, we are trying to get in touch with you. We have called the contact number we have on file, but can’t reach you. Please call the clinic at your earliest convenience.” | “Hi Kristen, this call is about your glucose test results. We have called (012) 345-6789, the contact number we have on file, but can’t reach you. Please call the clinic at your earliest convenience.” |
“Hi, this is a reminder that your prescription starting with LA is due for a refill. Please get in touch with the office or your pharmacy to get it filled.” | “Hey Charmaine, this is a reminder that your Insulin prescription is due for a refill. Please get in touch with the office or your pharmacy to get it filled.” |
These examples demonstrate how to use text messages to communicate essential information with patients.
Templates for HIPAA-compliant texting
Below are a few example templates to use while implementing text messaging into practice’s patient communications.
- Announcement: “Hi. Due to the significantly increased numbers of COVID-19 cases, we must require all office visitors to wear protective face masks.”
- Appointment: “Hi. Our records show you have an appointment with Dr. K tomorrow at 4 pm. Please check in 15 minutes before your scheduled appointment time. Reply Y to confirm or N to cancel.”
- Follow up: “Hi. We wanted to check in with you. Are you experiencing any ill effects or need to be seen after your recent visit? If not, we wish you continued health. If so, please reply Y.”
- Insurance information request: “Hi. We are missing some of your insurance details. Please sign into your patient portal to update your information.”
- Patient recall: “Hi. According to our records, it is time to schedule your annual wellness visit. Please get in touch with the office at (123) 456-7890 to schedule.”
- Patient satisfaction survey participation request: “Hi. We hope your recent visit went well. We’d appreciate it if you would take 2 minutes to complete this survey to provide feedback. Thank you. <link>”
- Test results: “Hi. Your test results are ready in your patient portal. Please log in to review them.”
Apply these templates to nearly any patient text communication scenario with minor generic revisions.
Text messaging can be HIPAA compliant
Although there are some privacy parameters to consider when implementing text messaging as part of a medical practice’s patient communication strategy, providers can still use this preferred medium.
Obtain the patient’s permission and explain the risks of data breaches or lost devices. Keep patients’ personal identifying and private health data out of the text message. Learn more about our texting platform for healthcare professionals and take the next step toward implementing this state-of-the-art solution.
You Might Also Be Interested In
Learn how to create a seamless patient experience that increases loyalty and reduces churn, while providing personalized care that drives practice growth in Tebra’s free guide to optimizing your practice.