When the General Data Protection Regulation (GDPR) came into force in Europe on May 25, 2018, Europeans were suddenly covered by some of the world’s strictest data protection rules. Since then, other consumer privacy laws have come into effect. For example, the California Consumer Privacy Act (CCPA) is similar to the sweeping EU law, at least in spirit.
Healthcare organizations in the US are way ahead of the curve. They’ve been subject to high standards for managing and protecting sensitive patient data and patient communication since 1996. These standards apply because of the Health Insurance Portability and Accountability Act (HIPAA).
The stakes are high here. Penalties for health organizations that violate HIPAA are no joke and can run as high as $50,000 per day. It’s no wonder why we get a lot of questions about whether texting is HIPAA compliant.
As carriers can review text messages and phones can be lost, you can’t send text messages that include any patient identifiers. Thankfully, there are a lot of compliant ways healthcare organizations can use SMS.
To understand when SMS text messaging is HIPAA compliant–and when it’s not–we put together this article that provides HIPAA guidelines for texting.
Please note that this advice is for informational purposes only and is neither intended as nor should be substituted for consultation with appropriate legal counsel and/or your organization’s regulatory compliance team.
HIPAA is by no means new and was signed into law nearly 25 years ago. The legislation provides security provisions and data privacy, with the ultimate aim of ensuring that patient’s medical information is safe.
The act contains five sections–or titles as they’re known. Title II, the Administrative Simplification (AS) Act, covers explicitly how organizations manage and protect patients’ health information. The ultimate goal is to ensure that it’s protected and stored securely, even when in transit. (An example of data or information in transit includes sending a text message to another user, or web browsing over a wireless connection.)
The AS Act determines what HIPAA compliant text messages are. While there’s quite a bit to this title, the main thing to know is that it calls out protected health information (PHI) as particularly important. PHI refers to all individually identifiable health information. PHI can be biometric identifiers such as fingerprints or even your birthday.
If you want more information on PHI and healthcare communications, then this article from the US Department of Health and Human Services is a reliable resource.
Most misunderstanding surrounding HIPAA compliant texting comes from the complicated legalese in the Privacy and Security rules. There is no explicit mention of texting, but they do set out specific conditions that apply to electronic communications in the healthcare industry.
These conditions are where information that contains personal identifiers–PHI, as it’s referred to above–comes into play. While HIPAA compliance does not say you must avoid sending PHI by text, for your text messages to be compliant, certain texting safeguards need to apply at rest and in transit. Encrypted messaging is necessary for HIPAA compliant messages.
If you want to understand the journey a text message takes (or MMS message in this case), this video does an excellent job of explaining it.
Text messages go through the various carriers, as the video above explains. Then at “rest,” data is stored on the specific handsets that received the messages–not just our servers. This is problematic because mobile devices can be lost or stolen, exposing PHI to unauthorized access and individuals to identify theft. Therefore SMS is not strictly HIPAA compliant.
But, and this is a big but, there are certain kinds of texts that you can send that are HIPAA compliant.
The best way to ensure that your text messages are HIPAA compliant is to not include any personal identifiers in your texts. Here are a couple of examples where texting is HIPAA compliant:
By asking patients to confirm appointments via text, you can cut back on the large percentage of people who forget to cancel or reschedule. No shows are a big headache for medical professionals.
As you can see in the example above, there is no mention of the specialty of the provider or the patient’s name. Neither is the reason for the appointment, the treatment the patient is coming in for, or the medical their taking.
Communication in healthcare organizations is not just between healthcare professionals and patients. You can save administrative time by using text messages to notify healthcare staff of schedule changes or other organizational updates.
According to the Food and Drug Administration, 50% of prescribed medication isn’t taken as directed by doctors and pharmacists. Care teams can improve patient care by reminding your patients when it’s time to take their prescriptions–in a way that doesn’t include any PHI. You can also see SMS delivery reports, the closest thing to read receipts.
These are only a handful of examples of transactional messages where no personal identifiers are mentioned. You can also alert patients to new test results (but keep those results in a secure portal protected by a password), gather feedback from patients, and get shifts covered.
All of the above HIPAA compliant text messages don’t include PHI. However, there are certain instances where it is allowed:
1. Texting patient information to patients is allowed by HIPAA, provided the organization has warned the patient that the risk of unauthorized disclosure exists and has obtained the patient’s consent to communicate via text. This communication must be documented clearly.
2. The US Department of Health and Human Services (HHS) announced on March 17, 2020, that it would waive potential HIPAA penalties for healthcare providers that serve patients through everyday communications technologies during the COVID-19 nationwide public health emergency.
This exception is not unprecedented. The HHS has waived the HIPAA rules for text messaging after a natural disaster such as an earthquake or hurricane.
Texting is a practical, quick way to get in touch with patients or staff when you need to send an appointment reminder, a general alert, or any important message. It’s less involved than phone calls and more formal than the likes of Facebook messenger. The catch is that you need to be careful about sending texts that include PHI.
We understand that this might still all seem a bit overwhelming. Even the most experienced healthcare practices can get tripped up by the complexities of HIPAA requirements and secure text messaging.
That’s why it’s essential to partner with an experienced text messaging platform or HIPAA compliant texting app. We have years of experience helping healthcare organizations send text messages and are happy to answer any further questions you may have. We’re available 7 days a week and happy to help. Text or call us at (866) 450-4185 or use the chat at the bottom of your screen.