While HIPAA does not explicitly prohibit sending text messages, for texting to be HIPAA compliant, there are specific rules you have to follow. Learn about them here.
When the General Data Protection Regulation (GDPR) came into force in Europe on May 25, 2018, Europeans were suddenly covered by some of the world’s strictest data protection rules. Since then, other consumer privacy laws have come into effect. For example, the California Consumer Privacy Act (CCPA) is similar to the sweeping EU law, at least in spirit.
Healthcare organizations in the US are way ahead of the curve. They’ve been subject to high standards for managing and protecting sensitive patient data since 1996. These standards apply because of the Health Insurance Portability and Accountability Act (HIPAA).
The stakes are high here. Penalties for health organizations that violate HIPAA are no joke and can run as high as $50,000 per day. It’s no wonder why we get a lot of questions about whether texting is HIPAA compliant.
As carriers can review text messages and phones can be lost, you can’t send text messages that include any patient identifiers. Thankfully, there are a lot of compliant ways healthcare organizations can use SMS.
To understand when SMS text messaging is HIPAA compliant–and when it’s not–we put together this article that provides HIPAA guidelines for texting.
- What Is HIPAA?
- Are There HIPAA Guidelines for Texting?
- Examples of HIPAA Compliant Texting
- Is Texting Right for You?
Please note that this advice is for informational purposes only and is neither intended as nor should be substituted for consultation with appropriate legal counsel and/or your organization’s regulatory compliance team.
What Is HIPAA?
HIPAA was signed into law nearly 25 years ago. The legislation provides security provisions and data privacy, with the ultimate aim of ensuring that patient’s medical information is safe.
The act contains five sections–or titles as they’re known. Title II, the Administrative Simplification (AS) Act, covers explicitly how organizations manage and protect patients’ health information. The ultimate goal is to ensure that it’s protected and stored securely, even when in transit. (An example of data or information in transit includes sending a text message to another user, or web browsing over a wireless connection.)
The AS Act determines what HIPAA compliant text messages are. While there’s quite a bit to this title, the main thing to know is that it calls out protected health information (PHI) as particularly important. PHI refers to all individually identifiable health information. PHI can be biometric identifiers such as fingerprints or even your birthday.
If you want more information on PHI, then this article from the US Department of Health and Human Services is a reliable resource.
Are There HIPAA Guidelines for Texting?
Most misunderstanding surrounding HIPAA compliant texting comes from the complicated legalese in the Privacy and Security rules. There is no explicit mention of texting, but they do set out specific conditions that apply to electronic communications in the healthcare industry.
These conditions are where information that contains personal identifiers–PHI, as it’s referred to above–comes into play. While HIPAA does not say you must avoid sending PHI by text, for your text messages to be compliant, certain texting safeguards need to apply at rest and in transit.
If you want to understand the journey a text message takes (or MMS message in this case), this video does an excellent job of explaining it.
Text messages go through the various carriers, as the video above explains. Then at “rest,” data is stored on the specific handsets that received the messages–not just our servers. This is problematic because mobile devices can be lost or stolen, exposing PHI to unauthorized access and individuals to identify theft. Therefore SMS is not strictly HIPAA compliant.
But, and this is a big but, there is certain kind of texts that you can send that are HIPAA compliant. Read on!
What Is HIPAA Compliant Texting?
While the best way to ensure that your text messages are HIPAA compliant is to not include any personal identifiers in your texts. Here are a couple of examples where texting meets HIPAA regulations:
1. Appointment Reminders
By asking patients to confirm appointments via text, you can cut back on the large percentage of people who forget to cancel or reschedule.
As you can see in the example above, there is no mention of the specialty of the provider or the patient’s name. Neither is the reason for the appointment, the treatment the patient is coming in for, or the medical their taking.
2. Interoffice Communications
Communication in healthcare organizations is not just between healthcare professionals and patients. You can save administrative time by using text messages to notify healthcare staff of schedule changes or other organizational updates.
3. Send Prescription Reminders
According to the Food and Drug Administration, 50% of prescribed medication isn’t taken as directed by doctors and pharmacists. You can improve health outcomes by reminding your patients when it’s time to take their prescriptions–in a way that doesn’t include any PHI.
These are only a handful of examples of transactional messages where no personal identifiers are mentioned. You can also alert patients to new test results (but keep those results in a secure portal protected by a password), gather feedback from patients, and get shifts covered.
Other Instances Where Text Messaging Is HIPAA Compliant
All of the above HIPAA compliant text messages don’t include PHI. However, there are certain instances where it is allowed. Here they are.
1. Texting patient information to patients is allowed by HIPAA, provided the organization has warned the patient that the risk of unauthorized disclosure exists and has obtained the patient’s consent to communicate via text. This communication must be documented clearly.
2. The US Department of Health and Human Services (HHS) announced on March 17, 2020, that it would waive potential HIPAA penalties for healthcare providers that serve patients through everyday communications technologies during the COVID-19 nationwide public health emergency.
This exception is not unprecedented. The HHS has waived the HIPAA rules for text messaging after a natural disaster such as an earthquake or hurricane.
Is Texting Right for You?
Texting is a practical, quick way to get in touch with patients or staff when you need to send an appointment reminder, a general alert, or any important message. The catch is that you need to be careful about sending texts that include PHI.
We understand that this might still all seem a bit overwhelming. Even the most experienced healthcare practices can get tripped up by the complexities of HIPAA requirements.
That’s why it’s essential to partner with an experienced text messaging platform. We have years of experience helping healthcare organizations send text messages and are happy to answer any further questions you may have. We’re available 7 days a week. Text or call us at (866) 450-4185 or use the chat at the bottom of your screen.
Send your first message in minutes. Try SimpleTexting free for 14 days. No credit card required.