Let’s face it; text messages have become the preferred communication method for many. So it’s not surprising that an increasing number of clinics are texting patients. But, healthcare providers must follow HIPAA rules when transmitting protected health information (PHI). And they can, as long as they follow the HIPAA Security and Privacy Rules. Here’s how to send HIPAA-compliant text messages in three steps.
1. Use A HIPAA-Compliant Text Message Solution
The HIPAA Security Rule governs the methods used to send text messages. It dictates the level of security required for HIPAA-compliant texting technology. The rules demand safeguards such as encryption, access control, authentication, and transmission security. Thus, providers who text their patients need a HIPAA-compliant solution such as ReminderCall.
ReminderCall includes the technical safeguards put forth by the HIPAA Security Rule. HIPAA-One Certified, ReminderCall uses SSL encryption (like banks do) to send information. This eliminates the possibility of a HIPAA breach of data in transit. ReminderCall data resides in high-level security server facilities on U.S. soil. It uses the smallest amount of data needed to do the job and then deidentifies it. And, as a software solution, it reduces the possibility of stolen PHI due to a lost or stolen mobile device.
2. Get HIPAA Consent
The HIPAA Privacy Rule concerns the text message content. It limits what healthcare providers can disclose without patient authorization. For example, appointment reminders can go out to patients without prior permission. Yet, texts about PHI (diagnosis, treatment, test results, etc.) can violate privacy.*
So what happens when an appointment reminder text message starts a medical conversation? Can the physician respond? The answer is yes. The HIPAAJournal.com explains it well:
“Texting patient information to patients is allowed by HIPAA provided the Covered Entity has warned the patient that the risk of unauthorized disclosure exists and has obtained the patient’s consent to communicate by text.”
In other words, the physician needs to inform the patient that text messages are not always secure. Then, get permission to continue the conversation. And the good news is that this can be a text message exchange.
To automate this task, ReminderCall has created a HIPAA consent autoresponder. The response replies to inbound patient text messages. It states that text messaging is not secure and requests their consent to continue the conversation.
So, if you’re worried about HIPAA when you are text messaging your patients, worry no more! Now you can get permission to communicate about PHI via text message in a few easy steps:
- Log in to your ReminderCall account
- Click the COG symbol in the header menu
- Select GLOBAL SETTINGS
- Select the TEXTS tab
- Activate the HIPAA Consent Autoresponder toggle
That’s it! Now, patients engaging in a 2-way conversation will get the following text message:
“Text messaging is not always secure. Reply CONSENT to permit us to text with you about your health or call our office at [phone number] to speak to us.”
3. Don’t Forget the Business Associate Agreement
It’s easy to forget that HIPAA requires healthcare providers to have BAA in place with every software company they interact with. In other words, without a BAA, healthcare providers cannot enter any PHI into any software. Doing so puts them at risk of HIPAA audit fines. Luckily, creating a BAA with ReminderCall is an automatic part of the signup process.
Speaking of audits… beware of offshore software providers! Providing top security is an expensive process, so most offshore entities can’t. Their BAA is not binding, which puts all legal responsibilities on the physician. And, in almost all cases, they do not carry cyber insurance to protect PHI from cyber-attacks (in fact, many domestic software-as-a-service providers skip this important step too!).
In contrast, ReminderCall uses high-security (SOC-2, SSAE-18 certified) U.S.A facilities. Plus, it maintains a hefty cyber insurance policy. It was created for physicians with all aspects of HIPAA in mind.
We hope this post helped you understand how to send HIPAA Compliant Text Messages! If you need a ReminderCall expert to help you go further with text messaging, do not hesitate to contact us.
*Exception: In 2020, the HHS announced that covered entities would not be penalized for violating HIPAA Rules when delivering telehealth during the COVID-19 nationwide public health emergency. The HHS defined text messaging as one way to offer telehealth to patients.