Guide to HIPAA Compliant Texting For Medical Offices
Guide to HIPAA Compliant Texting For Medical Offices
Aug 09, 2020 - 6 min read time
Is SMS text messaging HIPAA compliant? Read the guide to HIPAA compliant texting for medical offices, dental offices, and private practices.
Medical professionals and phone showing medical office sms appointment confirmation

Is SMS Text Messaging HIPAA Compliant?

Text messaging (as a technology) is not HIPAA compliant. However, HIPAA doesn’t prohibit you and your medical office from sending text messages (like appointment reminders) to patients.

You just need to be aware of some specific rules and best practices before you start texting.

To send text messages to patients:

  1. Messages can’t contain personal health information (PHI)
  2. Patients need to opt-in to messaging

COVID 19 UPDATE: On March 17, 2020, the US Department of Health and Human Services (HHS) released a statement in response to COVID 19 on HIPAA enforcement discretion for healthcare providers. The statement gives greater discretion and flexibility to healthcare providers who serve and contact patients every day through communications technologies.

Read More: Statement from the US Department of Health and Human Services

Disclaimer: Please note that our advice is for informational purposes only. It’s not meant to substitute for advice from qualified legal counsel.

Chapter 1

Is SMS Text Messaging HIPAA Compliant?

guides chapter placeholder purple

What is HIPAA? What is Personal Health Information (PHI)?

What is HIPAA? What is Personal Health Information (PHI)?

HIPAA stands for the Health Insurance Portability and Accountability Act (1996). HIPAA is an act designed to keep protected health information (PHI) and patient privacy safe.

For any messaging technology to be HIPAA compliant, all messages related to protected health information (PHI) need to be encrypted. Texts also have to be stored securely while in transit, not just while sending and receiving.

PHI constitutes all individually identifiable health information. Any identifiers or information like first name, last name, birthday, or address are all considered PHI.

Suggested Article: Summary of the HIPAA Security Rule

Why You Need to Send HIPAA Compliant Text Messages

Sending HIPAA compliant text messages matters because text messaging isn’t a secure messaging technology.

Telecommunications carriers store all text messages, texts aren't encrypted and most phones don’t have strong password protection.

In the life of a text message, it goes through various carriers and gets stored on their servers. When a message is “at rest” the data is being stored locally on the recipient’s phone. This makes the content of a message vulnerable at every storage point.

Additionally, mobile devices can also get lost or stolen. This exposes PHI to identify theft.

HIPAA violations are also a serious affair. The penalties for HIPAA violations can range from $100 to $50,000 per day depending on the severity of the violation.

Top 3 reasons why text messages aren’t HIPAA compliant:

Top 3 reasons why text messages aren’t HIPAA compliant:

  1. Telecom carriers store all text messages as data in a server
  2. Text messages (as a technology) aren’t natively encrypted
  3. Password protection on normal phones and text messaging apps isn’t secure enough

How to Send HIPAA Compliant Text Messages

For your medical office to text patients, you first need consent. Consent applies to both transactional and promotional messages. You also need to make sure your text messages don’t contain any protected health information (PHI).

Opt-in and Opt-out Management

All patients need a way to opt-in and out of text messaging from your office. This is part of the TCPA guidelines and best practices.

Many business text messaging platforms like MessageDesk have built-in opt-in and opt-out management systems. You get an easy and user-friendly way to see who has and hasn’t opted into messaging.

If your office texts a patient for the first time, MessageDesk will automatically send an opt-out message. This message tells the patient how to opt-out of text messages by responding, STOP.

If a patient opts-out and texts STOP, a guard is placed on their number. This prevents you and your office from texting the patient until they opt back into messaging.

Suggested Article: Managing Opt-in and Opt-out with MesageDesk

HIPAA Compliant Text Message Templates

Asking patients to confirm their appointments via text can improve your office’s appointment scheduling flow. You can reduce no-shows, prevent phone tag, and improve patient satisfaction.

However, the only way to keep your texting HIPAA compliant is to never text personal health information.

With each of the following HIPAA compliant text message templates, you’ll see that name is not included. Nor are the reasons for the appointment, the treatment, or specialty of the practice.

Appointment Reminder Text Message Template:

You have an appointment with {{ OrganizationName }} on {{ Date }}. Reply “yes” to confirm or “no” to cancel. Feel free to respond to this text with questions. When you arrive, you may come in or reply to this text to check-in. Please call {{ OrganizationPhone }} if you do not receive a response.

Checked in Text Message Template:

Thank you! We have you Checked In. We will let you know as soon as your room is ready.

No Show or Missed Appointment Text

We missed you today! This is {{ OrganizationName }} notifying you that you missed your appointment with us on [ date ] at [ time ]. Please call us at {{ OrganizationPhone }} to reschedule.

Office Updates and Availability Text Message Template

Please be advised that parking for {{ OrganizationName }} is currently limited due to roadwork. Please plan ahead accordingly. We apologize for any inconvenience.

COVID 19 Guidelines Text Message Template

Please review our COVID-19 Guidelines BEFORE your appointment. [ link ]

What Makes a HIPAA Compliant Text App:

The HIPAA Security Rules do allow you to send patient information over open, electronic networks. This can only occur as long as all personal health information is adequately protected.

To protect health information, a HIPAA compliant text app will have the following features. HIPAA compliant text messaging apps are also subject to the Health Information Technology for Economic and Clinical Health (HITECH) act.

  1. Have advanced password protection for all users (access controls)
  2. Limit access to personal health information for various office staff (audit controls)
  3. Encrypt all text messages (encryption)
  4. Have a Business Associate Agreement (BAA)

Advanced Password Protection (Access Controls)

Not everyone in your office needs access to full patient files. Access controls (like password protection) give your employees access only to the minimum PHI.

Employees performing billing don’t need access to a patient’s medical information. Similarly, a nurse doesn’t need access to a patient’s financial information.

Access controls give each employee unique login credentials and a designated level of access to perform their job function.

Limit Access to PHI (Audit Controls)

Audit controls monitor who and when and how long patient information gets accessed. This establishes normal access patterns that can be attributed to specific individuals.

Audit controls are important for detecting unauthorized access to PHI. For most traditional texting platforms monitoring access is not possible.

Encrypted Text Messages (Encryption)

There’s no such thing as secure text messaging. There’s only MORE secure text messaging. Yet, HIPAA mandates encryption for securing PHI.

Encryption is the strongest form of digital protection. It converts data into an unreadable form. To view it, you need a decryption key.

Again, texting doesn’t allow for encryption because of the way the carriers handle texts. Texting (as a technology) can’t be encrypted. This means you can’t use texts to transmit personal health information.

Business Associate Agreement (BAA)

As part of your HIPAA text messaging policy, you need a signed business associate agreement (BAA). A BAA specifies “covered entities” and the protections that secure protected health information. It also mandates that both entities are within HIPAA compliance.

Without a signed BAA, you can’t use a text messaging app to send PHI.

Suggested Article: How to Choose the Best Texting App for Your Business or Organization