Navigating HIPAA-compliant text messaging for better patient communication

Staying Health Insurance Portability and Accountability Act (HIPAA)-compliant is becoming ever more challenging, including when it comes to HIPAA-compliant text messaging. Statistics indicate:

The potential for breaches, gaps, or incorrect deliveries in these technological communication methods likely proverbially keeps some staff members at the U.S. Department of Health and Human Services (HHS) up at night.

Interestingly, HIPAA doesn’t spell out guidance about texting with patients. Instead, the act's electronic communication security standards refer to all electronic communications.

Therefore, while this piece will focus on text messaging, these rules and suggestions apply to all electronic communications with patients and colleagues.

Most adults prefer to receive texts over phone calls, so the challenge is determining if that is allowable. And if texting patients is HIPAA-compliant, how can practices implement it?

Unfortunately, there isn't a straightforward answer to whether texting patients complies with HIPAA. However, the right path involves:

Follow the Department of Health and Human Service's (HHS) guidelines for HIPAA-compliant texting. When obtaining a patient's written consent, it's imperative to incorporate the option to confer with colleagues regarding the patient's case via text message.

Nobody wants to feel like they're just a number on a chart or a dollar sign filling an appointment slot. While somewhat generic, text messages give patients the feeling of personal attention because texting is perceived as a one-on-one endeavor.

Patients also appreciate receiving appointment reminders via text because they have an easy-to-retrieve message they can readily add to their electronic calendar.

Appointment reminders aren't the only use for text messaging. Other processes that include text messaging can create multiple efficiencies. Examples include:

Effective communication is a 2-way dialogue. In fact, practices can set up 2-way texting with the right tools (more on this later). This will allow providers to have a brief dialogue with patients. However, providers still need to be wary of disclosing PHI.

Tip: If 2-way texting feels like a bad fit for a given practice, engage patients with patient portal messaging instead.

Patient satisfaction surveys are not limited to covering the care patients received during an appointment. Surveys are also a way to collect feedback about practice communication methods, including text messaging.

This feedback is just as valuable as information about staff interactions or the patient experience. Asking brief questions about how patients experience the texting process will indicate the method's effectiveness.

It’s important to keep patients' personal information confidential and maintain their trust. In that vein, HIPAA-compliant texting is possible, but some safeguards are necessary.

Things to consider when implementing a HIPAA-compliant texting process for a medical practice include determining if the practice will use only outbound or 2-way text messaging and implementing:

Ultimately, ensure that any texting or messaging between provider, practice, colleagues, and patients is secure and not stored on a platform accessible by others. For example, cell phone carriers store data sent to and from a phone, tablet, or any other device attached to a given plan. Therefore, it is imperative to encrypt communications.

Additionally, if a patient connects to a public WiFi network (like those available to patients in many waiting rooms or coffee shops), their connection is insecure and vulnerable to attack. Therefore, it's critical to choose a platform that uses HIPAA-compliant short message service (SMS) texting processes.

The fines for non-compliance can be significant and are detailed below.

HIPAA's communication standards apply to all electronic patient communications, including:

This means practices must invest in a sound electronic firewall for their data servers to provide adequate security and privacy of patient data stored on their platforms.

Conduct thorough due diligence for any platform. It is the practice, not the platform, that will bear final responsibility for data security.

A HIPAA-compliant platform will:

Seek a user-friendly system with proven technical support that works on mobile devices and computers, such as Tebra. 

As a heavily regulated industry, it shouldn't be surprising that HIPAA compliance as part of practice electronic communications is serious business. It is vital that independent practices develop policies and procedures around text messaging, as well as around staying up-to-date and in compliance. It is also vital to develop risk management practices and associated audit processes.

As a medical practice prepares to implement a secure platform for HIPAA-compliant text messaging, the practice must execute associated internal policies and procedures on how and when texting can be used. These policies also need to outline the foundation of the practice's risk management process surrounding HIPAA-compliant electronic patient communications.

Policies and procedures should be explicit about the requirement that those messages should only include non-PHI content.

Practice policy should also discuss how to correctly dispose of electronic equipment used for patient information or communication. Wipe all information from any device before exchanging it for new equipment.

Part of staff training on sending text messages should specify what devices and platforms can be used to send text messages and who is authorized to send them. For HIPAA compliance purposes, have employees sign paperwork stating they have read and understand the policy and how to use the system.

As part of the practice’s annual internal risk management process, test and audit this process to confirm the practice is in compliance. No practice wants to be found lacking if HHS's Office for Civil Rights drops in to perform a surprise audit.

There are fines for HIPAA non-compliance. And those fines can be steep and include the potential for legal ramifications.

The AMA provides the following information regarding the level of culpability, minimum and maximum fines for each violation, and the maximum annual penalty limit.

Fines are not where the danger ends, though. On behalf of impacted patients, individual states' attorney general can also file civil charges against violators. If the offense is egregious, violators may face criminal charges.

Licensed physicians are no strangers to maintaining exemplary ethics, including patient confidentiality. 

It is important not only to keep patients’ information secure to ensure their privacy, but also to treat all patients equitably.

While texting is a potential communication method, remember that not all patients have access to or are comfortable with this technology. Therefore, it’s critical to have multiple communication options and to tailor to each patient’s comfort and access.

It may seem that there are too many stringent parameters around texting. With that in mind, here are some examples of text messages that fit HIPAA’s standards.

These examples demonstrate how to use text messages to communicate essential information with patients.

Below are a few example templates to use while implementing text messaging into practice’s patient communications.

Apply these templates to nearly any patient text communication scenario with minor generic revisions.

Although there are some privacy parameters to consider when implementing text messaging as part of a medical practice’s patient communication strategy, providers can still use this preferred medium.

Obtain the patient’s permission and explain the risks of data breaches or lost devices. Keep patients’ personal identifying and private health data out of the text message. Learn more about our texting platform for healthcare professionals and take the next step toward implementing this state-of-the-art solution.