Texting and HIPAA: What You Should Know
With Americans’ reliance on smart phones, many patients now find text messaging to be the most convenient form of communication with their healthcare providers, and most providers have adopted at least some amount of text messaging as a part of their practice. If used correctly, text can be a great tool to cut down on missed appointments, increase patient access to information, and improve outcomes of care. But is text messaging HIPAA compliant? In some circumstances, it can be.
Maintaining HIPAA compliance when messaging patients is critical. Here's what you need to know about HIPAA and text messaging.
For appointment reminders:
Automated appointment reminders are probably the most common use of text messaging by medical practices, as they’ve been shown to greatly decrease no-shows. HHS considers appointment reminders as part of an individual’s treatment, which means you don’t need to need to obtain a patient’s authorization to send them. Still, many practices have patients opt-in to their preferred appointment reminder, be that text, email, or phone call. It’s also a good idea to include a way to opt out in the text message itself.
An unencrypted text message is not an appropriate way to communicate PHI, so it’s important to make sure you don’t include any extraneous information in appointment reminders. You should include the time, date, location, and provider name for the appointment, but don’t include other details. This also ensures that you’re complying with the minimum necessary standard.
For other forms of PHI:
There are other times that messaging with patients might be helpful, but under most of those circumstances, SMS texts are not an appropriate channel of communication because they don’t encompass the appropriate technical safeguards required for PHI under the HIPAA Security Rule. Text messages are not secure. They can go to the wrong number, be forwarded from one device to another, or be intercepted. However, there are plenty of HIPAA compliant messaging platforms that provide most of the convenience of a text message while keeping your patient’s data secure. These platforms can only be accessed by authorized users, are password protected, encrypted end-to-end, and don’t allow information to be copy, pasted, and stored onto a hard drive. Many of them also integrate with your EHR, making them a great solution to communicate with patients and share lab results or other important health information.
It is acceptable to send automated SMS text messages to notify patients when they have a new message from their care team or test results available on their patient portal. Sending them a link to access the secure platform can help ensure they access their health information in a timely manner.