Wondering whether text messages are HIPAA-compliant? In this guide, we’ll outline what you can and can’t send to patients for HIPAA-compliant texting.
Healthcare facilities communicate with patients through multiple channels.
For example, patients may receive appointment reminders via email and text messaging but are invited to discuss their health conditions and treatment through a password-protected communication platform.
It might sound like an inefficient way to message patients, but this assortment of messaging channels helps medical professionals comply with U.S. laws.
While it’s often quicker and more convenient to message patients about payments and upcoming appointments through SMS and email, you can’t legally send personal, identifiable information through these unsecure channels.
These standards for patient privacy apply because of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
The stakes are high here. Penalties for violating HIPAA can run as high as $50,000 per day. It’s no wonder we get a lot of questions about whether texting is HIPAA-compliant.
Thankfully, there are a lot of compliant ways that healthcare organizations can use SMS.
To understand when text messaging is and isn’t HIPAA-compliant, we put together this guide to help you navigate HIPAA-compliant texting.
TABLE OF CONTENTS
Please note that this advice is for informational purposes only and is neither intended as nor should be substituted for consultation with appropriate legal counsel and/or your organization’s regulatory compliance team.
HIPAA is a U.S. law that helps protect patients’ sensitive health information from being shared without the patients’ consent or knowledge.
Specifically, the Administrative Simplification provisions of HIPAA explicitly cover how organizations manage and protect patients’ health information.
The ultimate goal is to ensure that the information is protected and stored securely, even when in transit. (An example of data or information in transit includes sending a text message to another user, or web browsing over a wireless connection.)
The Administrative Simplification provision also determines what protected health information (PHI) means and the rules you need to follow when including it in patient communications.
PHI refers to all individually identifiable health and personal information, like names, birthdates, account numbers, and photos showing the patient’s face.
When it comes to sending PHI to patients via text message, your number one responsibility is to protect the patients’ right to privacy.
You’re probably not going to like this answer, but: it depends on what information is in the message.
There’s no explicit HIPAA text messaging policy, but there are rules that apply to electronic communications in the healthcare industry as a whole.
Text messages, like emails, are HIPAA-compliant if they don’t contain PHI, since including that information would be a violation of the Privacy and Security rules.
Before you text a patient, make sure:
While some business text messaging services like ours encrypt messages, SMS is not considered to be a secure form of communication under HIPAA. Phones may be lost or stolen, putting patients’ personal and health information at risk.
When in doubt, don’t send protected health information out.
What if you still need to send a patient a text that contains PHI?
You’ll need a HIPAA-compliant communication platform that protects messages both at rest (like sitting on your office computer) and in transit (as it’s being transmitted across the internet or other unsecure networks.
These types of platforms should:
Your HIPAA secure SMS service provider must also sign a business associate agreement (BAA). According to the U.S. Department of Health and Human Services, the business associate — in this case, the SMS service provider — must sign a contract stating that they’ll appropriately safeguard the protected health information it receives or creates on behalf of the covered entity.
We’ve covered what you can and can’t include when sending SMS to patients with a business texting platform.
Now, let’s look at the essential steps involved with sending HIPAA-compliant text messages.
Since standard SMS apps, like the one you use to text friends and family, don’t allow you to easily manage or schedule texts, you’ll want to use an app-to-person (A2P) texting platform.
Here are some features to look for in a medical text messaging platform:
Autoresponders
Autoresponders are messages that you set to send at a specific time after new
contacts sign up to receive your texts.
That means you can set up messages that contain all the necessary details for HIPAA compliance immediately after new contacts join your texting lists.
Using autoresponders will help you reduce the risk of forgetting to send out those details, and it’ll also lighten your workload.
Here’s a real world example:
Canadian Fertility Consulting (CFC) integrated our SMS platform with Salesforce to automatically send text messages to prospective donors based on their interests. So, if someone fills out CFC’s web form for egg donations, they would receive an automated text with information on becoming an egg donor.
This automation helped the CFC team respond quickly to prospective donors and provide a better experience for them.
These are perfect for sending out appointment reminders and prescription notification texts to your patients.
Just schedule out each patient’s reminders using the clock icon within your SimpleTexting Inbox and move on to the next task — your patients will get their text when it’s time to get ready for their appointment or take their medication.
For less privileged communications, like communicating sudden office closures or letting patients know that a different doctor will be replacing their usual provider that day, segments can come in handy.
Segments are just groups of contacts that have something in common. You could have a group of contacts that go to the same practice location or who receive the same type of care.
Using segments helps you get messages to contacts who will want to see them, and avoid sending out overly generalized texts.
💡 If you want to see what’s possible with a business text messaging platform, you can sign up for our free 14-day trial.
Telecommunication regulatory bodies and wireless carriers enforce SMS compliance guidelines to help prevent bad actors from sending spam and scam texts.
One of the guidelines is to obtain express written consent from your contacts before texting them. Our SMS compliance guide goes into more detail, but essentially, you have to get patients’ written permission to text them if you’re planning on sending promotional messages.
But if a patient gives you their phone number for any reason, like when they’re filling out medical forms, you can send them transactional text messages without needing express written consent. This includes administrative texts like appointment reminders and prescription notifications.
To send promotional messages, you need to get patients to opt in, or subscribe, to your messages. Some opt-in methods include keywords (like “Text HEALTH to 555-555-5555”), web forms, and paper forms.
💡 Check out our SMS opt-in methods guide to see which is right for your healthcare practice.
The best way to ensure that your text messages are HIPAA-compliant is to not include any personal identifiers in your texts.
Here are the most common HIPAA-compliant text examples that you can use as templates.
By asking patients to confirm appointments via text, you can cut back on the large percentage of people who forget to cancel or reschedule. No-shows are a major headache for medical professionals.
Example: “Hi! I’m reaching out from Lighthouse Dental Centre. I just wanted to give you a friendly reminder that you are due for a dental cleaning. If you would like to schedule an appointment, you can text me back or call our office”
In this appointment reminder text above, Lighthouse Dental didn’t mention any health conditions, the patient’s name, or other personal information.
Once they switched from phone call reminders — which often went unanswered — to text messages, they experienced a nearly 100% patient response rate.
According to the Food and Drug Administration, 50% of prescribed medication isn’t taken as directed by doctors and pharmacists.
Care teams can improve patient care by reminding patients when it’s time to take their prescriptions, without including PHI.
You can also see SMS delivery reports, the closest thing to read receipts, to make sure patients received the prescription notification.
Example: “A friendly reminder to take your prescription! If you have any questions about your prescription, then please call our office at 888-927-1826.”
After a medical appointment involving lab tests, patients may be anxiously awaiting their results. As soon as the lab test results are ready, send them a notification and direct them on how to find the results.
Example: “Your lab test results are ready to review. Please log in to the patient portal to view: https://txt.st/HKSGDJ”
In this text, there’s no mention of the specific lab test or information about the results.
💡Take a look at our other medical text message templates.
We’ve laid out the framework for HIPAA-safe text messages here, but you may still have some questions. Here are the questions we receive most often.
Is it against HIPAA to text patients?
Not if you follow HIPAA’s guidelines on sending PHI, like informing patients of unauthorized disclosure risks and only sending PHI via secure, encrypted platforms.
If you want to be extra-sure your messages are compliant, keep identifiable, protected patient information out of your texts.
What is HIPAA-compliant messaging?
HIPAA-compliant messaging is any message sent to your patients that doesn’t include PHI or that:
What texting app is HIPAA-compliant?
If you’re sending texts that contain PHI, you must use an SMS platform that’s designed to comply with HIPAA regulations.
If you’re only planning on sending administrative or promotional text messages that don’t contain patient information, you can use a business texting platform (like ours!).
We have years of experience helping healthcare organizations send text messages and are happy to answer any further questions you may have.
We’re available 7 days a week and happy to help. Text or call us at (866) 450-4185, or use the chat at the bottom of your screen.
Alternatively, sign up for a 14-day free trial, no credit card required.
Drew Wilkinson is the Head of Marketing at SimpleTexting. Drew has more than a decade of experience managing successful integrated marketing programs to build brands, raise awareness, and generate demand.
More Posts from Drew WilkinsonIntelyCare has gone from strength to strength, raising an impressive $45 million at the start of this year. As the company expands across America, here’s how it’s using text messages to communicate with its database of nurses.
ReadAppointment no-shows are frustrating and can lower your revenue. Prevent them with these appointment confirmation text templates and best practices.
ReadStart a text marketing campaign or have a 1-on-1 conversation today. It's risk free. Sign up for a free 14-day trial today to see SimpleTexting in action.
No credit card required