There’s a lot of confusion around HIPAA compliant texting. I often hear questions like:
My goal is to eliminate confusion and answer these text messaging questions and more.
So this article is for healthcare professionals, medical offices, medical staff, and any other practitioner that needs to understand:
By the end, you’ll have a clear understanding of HIPAA rules and requirements and how to text patients.
Read on for more.
HIPAA stands for the Health Insurance Portability and Accountability Act (1996). HIPAA is a federal law designed to keep protected health information (PHI) and patient privacy safe. The HIPAA Privacy and Security Rules require appropriate safeguards to protect the privacy of protected health information (PHI). HIPAA sets limits and conditions on the uses and disclosures of PHI without an individual’s authorization.
PHI stands for Protected Health Information. The HIPAA Privacy Rule establishes federal protections for personal health information. This gives patients numerous rights with respect to that information. PHI constitutes all individually identifiable health information. Any identifiers or information like name, birthday, or address are all considered PHI.
Text messaging is HIPAA compliant under certain conditions. Healthcare professionals can text patients if they establish patient consent, set opt-out controls, and sign a business associate agreement (BAA) with a HIPAA compliant texting app. This agreement sets guidelines and establishes that PHI won’t be exchanged via SMS text message. But keep in mind, SMS text messages aren’t considered HIPAA secure because:
Note: There aren’t definitive guidelines or certifications that officially recognize a texting product as “HIPAA Secure”. HIPAA demands compliance with the general rules as stated in the Security Rule, the Privacy Rule, and the Breach Notification Rule.
The difference between HIPAA compliant texting and secure texting comes down to addressable vs. required HIPAA implementation specifications.
Almost every business texting service for healthcare organizations can be HIPAA compliant when used properly. But very few texting platforms are HIPAA secure.
HIPAA compliance isn’t about texting software. It's about users.
Texting software can support HIPAA compliance and incorporate all the necessary safeguards for confidentiality, integrity, and availability of PHI. But users can easily undo those controls.
Does your practice or office need to send or receive protected health information via text?
If the answer is no, then you can use many texting apps (like MessageDesk) in a HIPAA compliant way for:
Note: All of the above text message examples are only HIPAA compliant if they omit protected health information. Check out my list of HIPAA compliant text templates below for specific examples.
Most HIPAA compliant texting apps come with all of the tools and features you need to comply with HIPAA. This includes features for getting express written consent and patient opt-in and opt-out (more on this below).
So the caveat for HIPAA compliance is that you have to use your texting platform in the right ways:
But what if you do need to text PHI?
Then you need a HIPAA secure texting app. These are different because they offer:
These are all addressable HIPAA compliant texting requirements. They apply specifically to healthcare professionals that absolutely need to handle PHI at rest and in transit when communicating with patients.
They’re not required for baseline HIPAA compliance, but they’re absolutely essential if you ever need to text PHI.
A common mistake many medical offices make is assuming that they can text patients from their personal phones and personal numbers.
This doesn’t work because:
So you need an SMS service with advanced tools and features to text patients.
Here’s how to get started.
The best HIPAA compliant text messaging apps save time, increase messaging efficiency, and extend your messaging reach.
But you and your staff have many business text messaging services to choose from. So consider what features you need before you buy.
Do you need to send a high volume of texts or send text alerts?
You’ll want a HIPAA compliant text messaging app that comes with A2P carrier-verified delivery and bulk texting features. Without these tools, you can’t text at scale and your text messages won’t get delivered.
Do you need one-on-one, two-way, HIPAA compliant patient communication and reminders? Then you’ll want a text service with a shared team SMS inbox.
An SMS inbox allows you and other staff to route, organize, and manage inbound and outbound text conversations. You can even add comments and tag and mention other admins or staff within individual text threads.
MessageDesk comes with all of the above texting features and more for offices and medical practices.
Regardless of the HIPAA compliant messaging app you choose, create a free account first. This gives you a chance to test drive and understand how things work.
Next, you’ll need to get a business text number.
You’ve got a range of SMS phone number options to choose from. These include:
MessageDesk even gives you a way to text-enable phone number extensions and set up call forwarding.
You need to be clear about your text messaging policies to send HIPAA compliant texts to patients.
This means never texting protected health information and explaining that patients can opt-out of messaging at any time.
There are several ways to do this:
Many business text messaging services like MessageDesk offer text message autoresponders for opt-in and opt-out.
If your office texts a patient for the first time, MessageDesk will automatically send an autoresponder opt-out message. This text message explains your messaging policies. It also instructs the patient on how to opt out of text messages by responding, STOP at any time.
Additionally, if a patient opts-out and texts STOP, a guard is placed on their phone number. This prevents you and your office from texting the patient until they opt back into messaging.
And if a patient texts HELP, then they’re directed to additional resources.
MessageDesk supports both STOP and HELP keywords out of the box. There’s no setup required to maintain TCPA compliance.
You need a written record of consent from patients that gives you their permission to receive texts. You can’t text a patient unless they clearly understand your messaging policies and opt-in.
This is called express written consent.
Some of the best ways to establish express written consent include:
All of these tools can help you start text conversations in HIPAA compliant ways. They can opt patients into texting and make your messaging policies clear.
Here’s an example of how to use autoresponders to explain messaging terms and establish express written consent:
📲 A patient texts a keyword to your business phone number ✨
Once you’ve established express written consent, you can manage active and inactive patients as “subscribers” with an SMS subscriber list.
MessageDesk’s subscriber list management features even include smart groups and custom fields.
These features are essential for timely messaging. They help you manage consent and stay compliant by:
Not everyone in your office needs access to patient health information.
Business text messaging platforms like MessageDesk come with user permissions and access controls. Access controls give each employee unique login credentials and a designated level of access to perform their job function.
This means you can make any protected health information inaccessible to certain staff members and employees.
There’s no need to include patient health information if your text messages are administrative. Staff texting appointment reminders and confirmations don’t need access to a patient’s medical information.
As part of your HIPAA text messaging policy, you need a signed business associate agreement (BAA).
A BAA specifies “covered entities” e.g. your medical office, practice, and staff. It states that you’ll use the text messaging provider in a secure way to protect patient health information.
BAAs mandates that both entities stay within HIPAA compliance. Without a signed BAA, you can’t text patients.
Need to connect appointment scheduling, payments, or your EHR software? You can use services like Zapier to automate your appointment reminders, appointment confirmations, and payment reminders.
There are three ways you can use Zapier with MessageDesk to trigger events, automate your reminder messages, and more.
Whenever a new contact requests an appointment, you can sync their phone number with MessageDesk. Or update contact info when a contact reschedules an appointment in an app like Calendly or Google Calendar.
You can also add outside contacts to groups in MessageDesk as well.
Trigger a text message to be sent when an action happens in another app. You can automatically send a message to a customer any number of days before an event and much more.
The most common use of HIPAA compliant texting for medical professionals is reminding and confirming appointments. This is great for:
However, the only way to keep your texting HIPAA compliant is to never text protected health information.
You’re also free to check out my list of 100+ text message templates, examples, and samples for more.
Note: The following HIPAA compliant text message templates don’t include the patient’s name. Reasons for the appointment or the treatment and all other PHI are also omitted.
Below is a list of frequently asked questions relating to text messaging and HIPAA compliance.
Texting doesn’t allow for encryption because of the way carriers handle texts. Texting (as a technology) can’t be encrypted. This means you can’t use texts to transmit personal health information.
SMS text messaging is not HIPAA compliant if your text contains protected health information (PHI). But HIPAA doesn’t prohibit healthcare professionals from sending text messages (like appointment reminders) to patients. However, there are specific rules, regulations, and best practices to be aware of before you can start texting.
The paid version of Google Voice for Google Workspace can be used in a HIPAA compliant way. Google does sign BAAs for healthcare organizations and Google Voice can be used for texting without PHI in accordance with HIPAA regulations.
Google allows healthcare organizations to adopt its services, and they offer a business associate agreement for G Suite. BAA’s did not initially cover Google Voice. But that has now changed. Google Voice for G Suite is covered by the BAA and can be considered a HIPAA compliant service.
WhatsApp is not HIPAA compliant in its current form. It can’t be used to transmit PHI. It doesn't have the proper safeguards in place to protect sensitive patient health information. However, healthcare professionals can use WhatsApp for general communication, or for sending de-identified PHI.
Texting a patient's name or any other personally identifiable health information is a HIPAA violation. If you do need to text PHI, use a HIPAA compliant secure text app. These platforms move conversations from texts over to encrypted and password-protected messaging channels.
HIPAA violations and penalties can range from $100 to $50,000 per day depending on the severity of the violation.
On March 17, 2020, the US Department of Health and Human Services (HHS) released a statement in response to COVID-19.
This statement announced HIPAA enforcement discretion for healthcare providers.
The statement gives greater discretion and flexibility to healthcare providers. Especially those who serve and contact patients every day through communications technologies like text messaging.
HIPAA compliant messaging apps are also subject to the Health Information Technology for Economic and Clinical Health (HITECH) act.
Ready to start texting? MessageDesk is here to help with smarter, simpler text messaging for medical offices, dental offices, and private practices.
Disclaimer: Please note that the advice contained in this article is for informational purposes only. It’s not meant to substitute for advice from qualified legal counsel.
Join 3000+ businesses who are growing and gaining knowledge.