Is Text Messaging HIPAA Compliant? – The Ultimate Guide

Image Credit: Pexels / Pixabay

Some healthcare organizations aren’t adopting text messages because of one worry: data security. With vague or unknown HIPAA regulations about texting Protected Health Information (PHI), many offices choose to remain safe by not texting their patients. However, because texting is so easy and efficient to use, it makes sense for medical providers to use texts as a means of communication.

Texting medical information makes a lot of sense. Just about everyone has their phone with them 24 hours a day, and a quick internet search tells us that Americans, on average, check their phones up to 344 times per day. Phones are our main source of our entertainment, news, social interaction, and how we communicate with each other. It makes sense for medical providers to connect with patients this way.

We can use texts for more than just notifying patients. With text messaging, we can let coworkers know about scheduling changes or send an alert about a new office policy. Since Doctors visit many hospitals throughout the day, an SMS message will reach them wherever they are.

Taking advantage of texting makes sense for improving patient engagement and care, but only if we adhere to the rules and laws of patient privacy.

HIPAA Security
Image Credit: Purple Slog / flickr

What Is HIPAA?

HIPAA, known as the Health Insurance Portability and Accountability Act of 1996, is a federal law that says sensitive health information about patients can’t be shared without their permission. The law includes security provisions for communication and data privacy to protect the rights of the patient.

The goal of the law is to make sure private information is secure and protected, even while it is being transported. Sending a text message through a wireless connection is an example of data or information in transit.

Occasionally, the laws will bend to reflect regional, national, or global events. On March 17, 2020, the US Department of Health and Human Services (HHS) said that during the nationwide COVID-19 public health emergency, healthcare professionals who contacted patients using standard communication technologies would not be subject to potential HIPAA fines.

This occurrence is not unusual. Following catastrophic disasters like hurricanes or earthquakes, HHS has exempted the HIPAA regulations for text messaging.

However, to remain safe, unless you are told otherwise, it’s best to follow the HIPAA rules when texting your patients.

Additional Information:

  1. “HIPAA for Individuals” –
  2. “Health Insurance Portability and Accountability Act (HIPAA) Resource Guide” –
  3. “HIPAA Basics for Providers: Privacy Rule” –
  4. “Health Insurance Portability and Accountability Act (HIPAA)” –
  5. “HIPAA Privacy Rule” –
  6. “NIH Clinical Center HIPAA Information” –
  7. “Privacy and Security Information” –
  8. “Health Insurance Portability and Accountability Act of 1996 (HIPAA)” –
  9. “HIPAA for Professionals” –
  10. “HIPAA” –

How Important Is HIPAA Compliance?

HIPAA violations can lead to fines of up to $50,000 a day. Keep in mind that using typical text messaging services to transfer patient data is not HIPAA compliant and doing so could lead to legal issues for your office. Not all data, however, is regarded as patient information. You can share some information by text message; you just need to be aware of what is and is not HIPAA-protected.

12 of the most common HIPAA Privacy Rule violations:

  1. Lack of protection for the patient’s private health information.
  2. When patients lack access to their PHI.
  3. No administrative protection of Electronic Health Information.
  4. Disclosure of more than the bare minimum PHI.
  5. Unprotected Patient Data.
  6. Data Breach or Hacking.
  7. Devices are lost or stolen.
  8. Lack of training for employees
  9. Sharing too much PHI.
  10. Staff dishonesty.
  11. Improper record disposal.
  12. Information released without authorization.

Is Texting Health Information a HIPAA violation?

HIPAA permits offices to text health information to patients if they first notify them of the possibility of unauthorized disclosure and have their permission to do so. Text messages containing any patient identifiers are prohibited.

Unfortunately, while you can choose which phone number gets an SMS, you have no control over who reads it. Private messages sent to a patient’s phone can be viewed by anyone who can unlock the phone. Phone companies can also view or store text messages, and phones can be lost or stolen.

Compliance with HIPAA doesn’t say that you can’t text PHI, but security requirements must be met for your messages to be compliant. For messages to be HIPAA compliant, encryption is usually required, but this seems to be a gray area for many as mobile phones don’t all come with encryption capabilities. Third-party Text and Alerting apps do offer encryption, however.

Even though texting isn’t mentioned in the guidelines, HIPAA lists the rules for electronic communications in the healthcare industry. PHI, or information containing personal identifiers, may be relevant in certain circumstances.

The following Patient Identifiers will subject Text Messages to HIPAA regulations:

• Names

• Addresses

• Social Security numbers 

• Phone Numbers

• Email Addresses

• Dates in Medical Records

• Beneficiaries of health plans

• Fingerprints

• Driver’s License Number

• Auto License Number

• Photo

• Invoice Numbers

• Anything else that can identify a patient

Is Medical Texting Right for You?

Studies show that encrypted text messaging systems used to communicate with multiple patients at once can reduce the cost of administrative work. Because it is so efficient, healthcare organizations encourage communication between staff members and patients as frequently as needed. Texting PHI may still feel a little intimidating, as the complexity of HIPAA regulations and secure text messaging can trip up even the most seasoned healthcare professionals.

New patients must go through your onboarding process before seeing a doctor. Besides gathering data on the patient’s medical history, be sure to get signed consent to receive phone texts as communication from your office while the patient is filling out these forms. You won’t be able to text them without it. 

Here’s why you’ll want to send your patients text messages:

• Most texts are read within less than 5 minutes of being sent.

• Over 90% of all text messages are read. 

• Most people 65 and older have a mobile phone or smartphone.

• Text messages receive twice as many responses as regular phone calls.

The most standard texts sent by medical offices are:

• Schedules Appointment Reminders

• Office news, hours, or closures

• Reminders for Prescription Refills

• Patient Discharge Information

• Visit Summaries

• Birthday or other congratulations

• Alerts for Upcoming Appointments, Follow-ups, or Missed Appointments

FAQs about HIPAA-compliant Texting

Q: Is texting patients a violation of HIPAA?

Not if you adhere to the HIPAA recommendations. Encrypt your messages and include information about the risks of unauthorized disclosure to ensure your safety.

If you want your texts to be compliant, keep identifiable and sensitive patient information out of them. Here are some fundamental strategies to develop the practice of sending HIPAA-compliant messages:

• Before sending patients’ PHI through SMS, you must get their consent. If a patient has signed a waiver and understands the risks involved, you can send them a text message containing their PHI.

• Don’t text unsecured patient information to anyone, including other medical professionals. 

• Apps for texting that are HIPAA compliant should be used. Although standard text messaging services don’t comply with HIPAA security regulations, there are specific apps that do.

Q: What is HIPAA-compliant messaging?

Typical text communications using a standard service may not be encrypted. HIPAA-compliant messaging must follow these guidelines:

• You have the patient’s permission to send texts

• The message includes a warning that PHI may be exposed without permission.

• The Text and data are encrypted

Q: Can a hospital enact its own HIPAA Texting Regulations?

The creation of policies and procedures by Covered Entities must be based on their risk analysis. HIPAA telephone regulations may vary from hospital to hospital, as distinct dangers could exist in each. The new guidelines must adhere to the HIPAA Privacy Rule.

Q: Does the Telephone Consumer Protection Act apply to all HIPAA communications?

The Telephone Consumer Protection Act covers only communications between patients and Covered Entities that are not exempt from other laws. The TCPA does not apply to any other HIPAA communications, including those between Covered Entities or between Covered Entities and their Business Associates.

Texting Patients: How to ensure HIPAA Compliance

Fortunately, there are numerous legal ways for healthcare companies to employ SMS. The best way to ensure that your texts comply with HIPAA regulations is to avoid including personal identifiers. Here are a few instances where texting complies with HIPAA regulations:

• Use secure text messaging apps to be sure that your office and the HIPAA-covered entities that receive your messages follow the administrative, physical, and technical guidelines of the HIPAA Security Rule. One of the main goals of the Security Rule is to protect the privacy of health information while letting healthcare providers use technology to improve the effectiveness and quality of patient care.

• The HIPAA Privacy Rule protects information about a person’s health that could reveal who they are. This information is called “protected health information” (PHI). The Security Rule protects all personally identifiable health information that a covered entity creates, gets, keeps, or sends electronically. 

• Secure text messaging apps for healthcare companies work just like other messaging apps on the market and are fast and easy to use. They also have safeguards to protect PHI and prevent unauthorized disclosure. 

What does HIPAA-Compliant Texting entail?

Text messages that are clinically important should be handled and recorded the same way that medical information is given over the phone. It is important to document messages in the medical records of patients.

The Security Rule says that to protect PHI, entities that fall under the rule must set up reasonable and acceptable administrative, technical, and physical risk management procedures. All PHI that your office makes, gets, stores, sends, or receives must be kept private, safe, and easy to access when needed.

You and your staff need to investigate what could go wrong with the information’s security or integrity and take steps to prevent loss or damage. Security against hackers, breaches, physical damage, or loss should be a top priority. Hacking attempts on medical and health records are on the rise, so we can’t be too careful.

Protect your office against reasonably expected unlawful disclosures or uses. Everyone in your office who has access to your patient’s PHI should know how to create, store, safeguard, and properly share medical files. 

Ensure your staff complies with the procedures you have in place. New staff members will have a lot of questions, and you should be clear about your expectations. Evaluate any potential danger to stored PHI for the worst-case scenario. Your staff needs to know what to do in an emergency, such as how to lock down all patient data, who to call for help, and how to restore the data after a power outage. 

Encrypting PHI Text Messages

Thanks to HIPAA-compliant text messaging guidelines, medical practitioners and other members of the healthcare industry can send and receive encrypted texts containing PHI with the same speed and convenience as they now do – either in the body of the message or as an attachment.

Utilizing a HIPAA-compliant texting service or software is essential. When used regularly, it helps medical staff be more productive and give better care to patients. Texting takes less time, is secure when encrypted, and allows the staff more time to focus on other tasks.

Administrative controls enable the remote deletion of messages and the PIN-locking of a mobile device in case it is lost or stolen. Security measures should be in place so that PHI can’t be accessed outside of your network or saved to a hard drive.

Is there a Ruling for HIPAA Compliant SMS?

In 2015, the FCC issued a ruling that clarified that healthcare companies could text their patients. By giving a healthcare practitioner a patient’s phone number, the court determined that the patient had given express consent for the provider to send the patient text messages (subject to certain HIPAA restrictions).

This means patients are not required to complete a separate form indicating their express consent to be texted.

The Ruling Highlights:

The Covered Entity’s contact information should be included in SMS text messages sent to patients that are no longer than 160 characters. Patients should never get more than one text message each day.

Regardless of the communication’s nature, HIPAA Privacy Rule compliance is still necessary. The Minimum Necessary Standard still applies to the content of calls and texts, and no telemarketing, advertising, or soliciting is allowed. The following additional TCPA Rules also apply:

• No calls or text messages may be billed to the patient or deducted from plan allotments.

• Patients have the right to opt-out of communications or revoke their consent, 

whether they gave it verbally or in writing.

• You must include a toll-free number for the patient to call back in any messages 

left as a voicemail.

The Final Word on HIPAA Texting

Texts are an efficient form of communication between patients and healthcare professionals. When texting is used to reinforce treatment programs, patient engagement is improved, and medication compliance often increases by twofold or more. Since texts feel more personal than email, many patients feel better informed about their healthcare with regular communication and reminders.

Patients may forget appointments, costing a medical office both time and money. That patient’s health could be in danger if an appointment is missed, particularly if the patient needs regular follow-ups by a medical practitioner. Texting reduces the need for office staff to make time-consuming calls to patients to remind them of appointments.

Secure text messaging can be used to remind patients to take their meds and finish other important at-home medical duties, like checking their blood sugar levels, fasting before surgery, and so forth. Reminders help patients keep on top of their healthcare at home, which can improve results.

By following HIPAA guidelines and protecting your patient’s PHI, you can employ texting as an efficient, safe, and time-saving tool for everyone’s benefit.

Similar Posts