Medical Texting to Patients; Guidelines for HIPAA Compliance

Text Messaging and HIPAA Compliance

Unfortunately, texting healthcare clients and patients isn’t as simple as picking up your phone, tapping in a few words and hitting “send”.

That’s because you have to concern yourself with client privacy. If you operate in the U.S., it’s the Health Insurance Portability and Accountability Act (also known as HIPAA), which addresses the transfer of Protected Health Information (PHI).

“Protected health information (PHI) under the US law is any information about health status, provision of health care, or payment for health care that is created or collected by a Covered Entity (or a Business Associate of a Covered Entity), and can be linked to a specific individual.” Source: Wikipedia.org

You may have even heard that text messages, which are sent over public—not encrypted – networks, are not HIPAA-compliant.

That’s because for most people, “HIPAA-compliant” means “secure and encrypted.” And certainly, text messages are not secure—they’re sent over publicly-accessible networks.

But that doesn’t mean you can’t use text messaging and be HIPAA-compliant.

That makes pretty good sense when you think about it! After all, you are probably already using non-secure channels to reach your patients (like email, most apps, and unsecured phone lines)…

You just have policies in place for their use.

“To say that texting is in violation of HIPAA is not strictly true. Depending on the content of the text message, who the text message is being sent to, or mechanisms put in place to ensure the integrity of Protected Health Information (PHI), texting can be in compliance with HIPAA in certain circumstances.” HipaaJournal.com

In fact, texting patients can be perfectly acceptable in certain circumstances…

1. Your message doesn’t fully identify the recipient or contain any Protected Health Information (for example, texting can be used for appointment reminders, health tips, surveys, etc.—since all can be implemented without either of these being present).
2.  The patient provides you with the consent to send Protected Health Information via text message, and you have documented this for your records.
3. The patient initiates the conversation (current HIPAA guidance notes that this may provide consent to communicate in this manner).

According to EmrAndHipaa.com, Roger Severino, Director of the US Department of Health and Human Services Office for Civil Rights, put it this way…

“Health care providers may share Protected Health Information (PHI) with patients through standard text messages. Providers must first warn their patients that texting is not secure, gain the patients’ authorization, and document the patients’ consent.”

Obtain Your Patient’s Consent to Send Medical Texts

Before you bang out your first text message, have a conversation with your clients, acknowledge the security risks associated with text messaging, and obtain their written consent to send them.

This is a smart idea, regardless of what sort of messaging you intend to send (HIPAA considers appointment reminders as part of care and can be sent without authorization.)

Why?

• It ensures you’re fully covered in case Protected Health Information is shared over the course of a discussion, or included in a message.
• It gives the patient the option to choose an alternative means to communicate if texting is not preferred (email, phone, etc).
• It prevents messages from showing up unannounced, which may anger or surprise some patients.
• It maintains your credibility; in cases where patients are unaware that text message reminders can be used in compliance with HIPAA, it prevents them from becoming angry and worried that other messages may contain more sensitive information.
• It gives you an opportunity to inform them that they should not include any sensitive data in their responses.

They will appreciate the courtesy, and you will build goodwill with your audience.

Doctors Texting Patients

Under HIPAA, doctors may text patients, provided they have had a discussion about the security risks and obtained written permission from their client.

The AMA has a comprehensive article on how to work with patients who want to text you. Read it here.

Note: For doctors interested in texting their patients while keeping access to their personal mobile devices private, our CONNECTsms service is the perfect solution. See more details further down this page.

HIPAA and Texting Patients Appointments Reminders

Sending your appointment reminders via text is perfectly legal. According to HIPAA, appointment reminders are considered part of care and can be sent without authorization.

Despite this, we highly recommend you get permission from all your patients, even if all you intend to do is send appointment reminders and messages that do not contain Protected Health Information (PHI).

And care should be taken to make the reminders as general as possible, especially when it relates to sensitive health information.

General guidelines for texting appointment reminders…

• Do not use the patient’s name. “Reminder: You have an appointment at the Green Hills Medical Clinic at 10 am on 28/10/2018. If you cannot attend please call us”, will work for most people.
• If you have to use a name, just use the first name. This won’t seem odd to your patient or client—texting is a personal, informal medium.
• Do not include any sensitive health information in the message.
• Do not include information about diagnoses or treatment plans.
• Do not include information that may reveal the nature of the appointment (i.e., if you work at an AIDS & HIV Clinic or Planned Parenthood, don’t use the clinic’s name in the reminder. Use the appropriate doctor’s or professional’s name instead).

Bottom line?

The more general the message the better. 99.9% of the time this will not affect the effectiveness of the reminder since the recipient understands the context of the message.

Give the patient whatever information is necessary to “jog” her memory, but no more.

HIPAA-Compliant Texting to Patients (Examples)

If you have obtained your clients’ permission to send messages that may contain Protected Health Information via text and explained the security implications of doing so, then technically, you can share any information in a text message.

However, if you have not done so, or want to be super cautious with any messages you send, the general guidelines for compliant texting are the same as those I listed above for appointment reminders. To reiterate…

• Avoid sending any sensitive client information in the message.
• Do not discuss treatment protocols or diagnoses.
• If unlikely to cause confusion, do not identify the client in the message, or if you must, use the first name only (you can use a full name if you must).
• If the clinic name “telegraphs” the nature of the appointment (AIDS clinic, Family Planning Clinic, etc.) do not use it in the reminder message. Use the attending doctor’s name instead.

The following are examples of compliant messages you can send to your client…

• Reminder: You have an appointment at the Green Hills Medical Centre on 10-10-2022 at 10:30 am.
• Reminder: Mike has an appointment at the Green Hills Medical Centre on 10-10-2022 at 10:30 am.
• Reminder: Sheena has an appointment with Dr Brian Green on 10-10-2022 at 10:30 am.
• It’s Tammy from the Green Hills Medical Clinic. You visited our clinic recently. How’d we do? This short survey will help us improve our service.
• Mike, it’s Tammy from the Green Hills Medical Clinic. Just a reminder you have an appointment with Dr. Sandra Sanderhurst at 3 pm, October 12.
• The Green Hills Medical Clinic website has helpful articles on blood sugar control, smoking cessation, weight loss, and much more. Click here to visit!

The Problem with HIPAA-Compliant Text Messaging Products

Because of the confusion that exists in regards to HIPAA compliance and SMS/text messaging, it is often thought that a HIPAA-compliant text message product is the solution to effective communication.

And in some cases, it is. For example, in a closed environment like a hospital, a specialized service can be set up so doctors and other medical professionals can share PHI over a secure, encrypted network.

This makes good sense. However, in the real world HIPAA compliant text messaging services—which are usually secure apps—aren’t practical.

Why?

In order to communicate, both you and your clients need to have the app installed. As a result, using an app…

• Offsets a portion of the cost of your communications onto your patient (who has to surrender some privacy, use up some of her mobile data as well as diminish her battery life and phone performance).
• Requires you have to educate your clients; that they need an app, where to find it, how to install and use it, and lastly, hope that they do so.
• Makes it impossible for you to reach those who are struggling financially and do not own smartphones or do not maintain voice minutes or Internet data on their phones.
• Creates a barrier between you, your patients, and efficient, seamless communication.

Texting Messaging’s Biggest Assets

The reason why texting is so popular is because…

1. Easy to use.
2. Completely unintimidating.
3. Used by virtually everyone.

The third asset—used by virtually everyone—is a direct result of the first two.

You know this. It’s why you are considering using SMS to reach your clients after all.

Contrary to what the geeks in the IT department think, more technology is not the answer. You can use a HIPAA-compliant text messaging product, but you’ll only solve a percentage of your communication problems with it.

If you want to reach everyone, you’ll need to use text. The good news is that you can… you just have to do so properly.

HIPAA SMS Best Practices & Bottom Line

At this point, I hope it’s pretty clear what the HIPAA SMS best practices are…

1. Always, always, always obtain your patient/client’s permission before you send a single text/SMS.
2. Discuss the security issues associated with transmitting sensitive data via text (essentially, the messages are sent unencrypted over publicly accessible networks. If they were to be intercepted, any information contained therein could be used for nefarious purposes). Even if you only wish to send appointment reminders, it is important to have this discussion, so that your patient understands not to include any sensitive information in any responses s/he may send (or the implications of doing so, if s/he does).
3. Document the permission for your records (i.e., have your attorney draft a document that eliminates your liability for any potential security breaches that could occur as a result of communicating over text, and have your client sign it).
4. Unless it’s absolutely necessary, do not include any sensitive patient data in an SMS/text message, even if the client has provided you with permission to do so.
5. Don’t use your client’s name—or at least her full name—if it’s at all possible, or it works for your demographic.
6. Use as little information as is necessary to make your point and jog your client’s memory.

If you err on the side of caution, there’s no reason why you can’t capitalize on the popularity of text messaging and be fully HIPAA compliant while doing so.

Note: In my opinion, your best use of text is for appointment reminders and to make initial contact with those people you can’t reach any other way. Only ever share PHI face to face.

Need the Perfect Tool for Texting Patients?

CONNECTsms is Local Text Marketers’ powerful two-way SMS communication and appointment reminder service.

If you’re interested in texting patients appointment reminders, communicating with your patients via text, or if you’re a doctor who’s interested in texting patients but wants to keep your personal cell phone number private, you may be interested in what it can offer you.

CONNECTsms…

• Protects the personal privacy of doctors, staff and employees (since a personal device is never used for messaging).
• Sends text messages, so no “app” needs to be downloaded by your patients.
• Delivers an instant “out of office” message to contacts who text after hours so they know they haven’t been forgotten.
• Allows administrators to review all the conversations that occur on the platform for compliance.
• Offers the ability to archive all conversations on the platform for your records.
• Sends email and text notifications of new messages in your and your staffs’ accounts.
• Allows for easy transfer of clients and their conversations from one staff member to another.
• Sends automated text message appointment reminders.
• Provides a delivery status report for every text message you send.
• Is super easy to use, and requires just 11 minutes of instruction to use efficiently.
• Displays and archives incoming “picture” (MMS) messages, should they be sent.
• Is constantly being upgraded to include new time-saving features and functionality.
• Is affordable; subscriptions start at just US$39.99/month.
• Is mobile-responsive; access CONNECTsms on your tablet or phone.

If you’re interested in texting patients and sending appointment reminders, we welcome you to give CONNECTsms a try. We offer a non-restricted 30-day free trial so you can confirm the value for your practice or clinic before committing a monthly subscription.

To learn more, click here!

Got a question? Drop us a line here!