While text messaging has become an essential tool for healthcare communication, it also presents unique challenges when it comes to HIPAA compliance. In this article, we will explore what exactly HIPAA compliance in text messaging is and provide guidance on how healthcare organizations can ensure that their text messaging practices are secure, compliant, and effective.
Jump right to:
- HIPAA terminology
- What is HIPAA compliance?
- Is texting HIPAA compliant?
- Who needs to be HIPAA compliant?
- How to ensure your text messages are HIPAA compliant
<h2 id="hipaaterm">HIPAA terminology</h2>
Before we move on to explaining HIPAA-compliant texting, here are several common HIPAA-related terms to know.
- HIPAA (The Health Insurance Portability and Accountability Act). This is the law that protects patient data from unauthorized access and disclosure.
- PHI (Protected Health Information). PHI is data that a healthcare professional collects to identify an individual and determine care plans. It includes demographic information, medical history, test results, health conditions, insurance data, and more.
- ePHI (Electronic Protected Health Information). This refers to PHI that is stored or transmitted electronically.
- HIPAA Privacy Rule. This rule protects individually identifiable health information. It applies to PHI in any medium and sets rules for who can send and receive this data.
- HIPAA Security Rule. The security rule requires covered entities to implement safeguards to protect ePHI.
- HIPAA Breach Notification Rule. This rule dictates how organizations must disclose HIPAA breaches to patients and HHS.
- Covered Entity. These are the organizations bound by HIPAA. It includes health plans, ACOs, nurses, doctors, dentists, home health aides, billing providers, etc.
- Business Associates. Vendors or contractors work with a covered entity and may handle PHI.
- BAA (Business Associate Agreement). This is an agreement between a business associate and the covered entity about how PHI will be protected.
<h2 id="hipaawhat">What is HIPAA compliance?</h2>
The Health Insurance Portability and Accountability Act, known as HIPAA, protects the privacy and confidentiality of patient’s health data (PHI). The HIPAA regulations establish national standards for electronic healthcare transactions, privacy, and security, with three key subsets to note:
- Privacy Rule. This rule defines how personal health information (PHI) can be used and disclosed, who can access it, and how it should be protected.
- Security Rule. The security rule protects how electronic PHI is created, received, used, or maintained by entities bound by HIPAA. It requires companies to have physical and technical safeguards to secure this health data.
- Breach Notification Rule. This rule outlines the requirements healthcare organizations and covered entities must follow when notifying patients in case of a breach of their PHI.
HIPAA compliance means following these HIPAA rules if you’re a covered entity dealing with PHI.
<h2 id="hipaaneeds">Who needs to be HIPAA compliant?</h2>
Any company that handles PHI must comply with HIPAA. The Department of Health and Human Services says the following groups must follow it:
- Healthcare professionals (doctors, dentists, pharmacists, psychologists, etc.)
- Health plans (health insurers, Medicare, Medicaid, HMOs, etc.)
- Healthcare clearinghouses (billing or claim service provider)
- Business associates (contractors, subcontractors, any business working with covered entities)
<h2 id="hipaacompliant">Is texting HIPAA compliant?</h2>
Texting can be HIPAA compliant when done with the proper controls. To ensure HIPAA-compliant texting, businesses must use a secure SMS platform and ensure necessary administrative, physical, and technical safeguards are in place.
If texting is used to transmit ePHI, it must be secured using encryption or other appropriate security measures to prevent unauthorized access. Healthcare organizations should also have policies and procedures in place to govern the use of text messaging for patient-related communications, including guidelines for when it is appropriate to use text messaging and what information can be shared.
To ensure HIPAA compliance when using text messaging, healthcare organizations need to use HIPAA-compliant messaging platforms that encrypt data, safely store patient consent and have access controls.
HIPAA-protected information to be mindful of when sharing via text
HIPAA protects all individually identifiable health information. According to HHS, this includes data relating to:
- An individual’s past, present, or future health condition
- The provision of healthcare to an individual
- The payment for the provision of healthcare to an individual
Any of this health-related data is protected; especially when that data is linked to a personal identifier.
Some specific examples of identifiers you’ll want to be careful about sharing are:
- Geographic data
- Specific dates
- Telephone number
- FAX number
- Social Security number
- Email address
- Medical record number
- Account number
- Health plan beneficiary number
- Certificate/license number
- Vehicle identifiers and serial numbers including license plates
- Web URL
- Device identifiers and serial number
- Internet protocol address
- Full-face photos
- Biometric identifier
- Any unique identifying number or code
Examples of text messages that must be HIPAA compliant
Here are six examples of texts that must be HIPAA-compliant because they share ePHI and have a personal identifier.
1. Appointment confirmation with ePHI.
Hi Sarah. This is Dr. Patel’s office reminding you about your annual checkup on Feb. 21 at 3 p.m. Reply C to confirm.
2. Sharing test results via text.
Hi there! Dr. Patel’s office here. Your test results are available. We’ve attached them below. (Attachment)
3. Follow-up text about a specific procedure
Hi Kenneth. I wanted to follow up with you regarding your pancreatectomy. How are you healing? Do you have any questions?
4. Sharing billing amount via text
Hi Calvin. The total for your visit to Orthopedic Care is $51.22. Please pay online or by calling (555)-555-5555.
5. Requesting insurance information
Hi Colleen. The prior UnitedHealth insurance you had on file with Dr. Patel expired. Can you share your new information when you have a chance?
6. Requesting a patient review
Hi Maria, we’re happy you had a positive experience with Dr. Shaw. Would you mind leaving a review for her here: [link]
Examples of text messages that don’t need to be HIPAA compliant
Here are six examples of text messages that don’t need to be HIPAA compliant because they don’t disclose ePHI or a personal identifier. You’ll notice they are vaguer.
1. Vague appointment reminders
This is a reminder that your appointment with [organization name] is on [date] at [time]. Reply to cancel or reschedule.
2. Vague appointment confirmation
Please reply YES to confirm your dental appointment with Dr. Knutson on [date] at [time].
3. Follow up text message
Hi there. This is Leon from Dr. Knutson’s office. How are you feeling today?
4. Results are ready
Hi there! Your test results from [organization name] are ready. Visit your patient portal to view them.
5. Billing reminder
This is a reminder to pay your bill from [organization name]. Visit your patient portal to pay.
6. Request a review
We’re thrilled you had a good experience at our office today. Would you mind leaving a review here: [link]
<h2 id="howtoensure">How to ensure your text messages are HIPAA compliant</h2>
If you’re a covered entity, you must take HIPAA compliance seriously. Keep these tips in mind when texting patients.
Get explicit consent to text
Before sending your first text, get explicit written consent from patients. Under HIPAA, PHI can be shared if the healthcare entity obtained explicit authorization first. Textline has a patented contact consent process, which ensures consent is collected, documented, and securely stored.
Communicate the risk of texting with patients
There’s always a risk that someone else may see personal information texted to a patient’s phone. As a result, to stay compliant, you must warn patients in writing about these risks. A good practice is including this verbiage in your opt-in text message.
Don’t text from your personal phone
When texting patients, don’t use a personal mobile device. Personal devices can get lost or stolen with PHI on them, and no way to erase texts remotely. Plus, patients don’t have an easy way to consent or revoke consent to text.
Use a HIPAA-compliant app
For healthcare organizations to have HIPAA-secure texting, message data must be encrypted, patient consent must be obtained, and access safeguards must be in place. HIPAA-compliant texting software helps businesses meet or exceed the privacy and security standards demanded by HIPAA.
Set up access controls
To stay compliant, healthcare organizations must implement access controls to prevent unauthorized access to PHI and share what authorized users can do with PHI.
Some specific access controls to set up include:
- Unique log-ins. Like you would with an electronic health record, ensure authorized users have a unique username or ID to log into your texting platform.
- Multi-factor authentication. Make authorized users confirm their identities before accessing the texting platform.
- Automatic sign-offs. Ensure the platform automatically logs users out after a period of time has elapsed to prevent unauthorized access to PHI.
- Sensitive data redaction. Only allow certain members of your organization to view sensitive data.
Keep text conversation history
In the event of a HIPAA audit, you’ll want to have a record of your text exchanges with patients. This includes having consent documented and stored.
Limit PHI in texts
Only include necessary information in texts. This helps covered entities meet the minimum necessary standard, which requires those to disclose the smallest amount of PHI as possible to accomplish the task at hand.
Ensure the ability to erase data remotely
Make sure you can delete protected information from any company-owned device remotely in case of theft or lost device.
Employee training is vital to ensuring HIPAA compliance. Make sure your employees know the policies and procedures you have in place surrounding securely texting patients.
Meet Textline – The first HIPAA-compliant texting platform
Text your patients confidently and securely with Textline, the first HIPAA-compliant texting platform.
Textline is designed to keep health data safe with encryption, special access controls, and a patented consent process.
Take advantage of texting’s high open and response rates while knowing you comply with HIPAA.