Blog Home
Texting 101

Are you illegally texting your patients? How to use HIPAA compliant texting

Nina Godlewski
minute read
Table of contents:

Business texting has made all aspects of business easier. Scheduling, price quoting, coordinating, dispatching, and following up are all simple tasks with business texting. Plus, texting has a 98 percent open rate. When it comes to healthcare companies and organizations using business texting though, HIPAA compliance should be top of mind. After all, the whole point of HIPAA is to help protect private and personal health information. 

Mail opening icon with 98 percent
Texting has a 98% open rate.

Business texting can help boost sales, patient satisfaction, and reduce no-shows in your office. A survey showed that twice as many patients would prefer to use secure texting to communicate with their healthcare providers over a patient portal. With benefits like that, you can’t afford to not implement HIPAA compliant texting. But before you do, be sure you know the rules. 

What is HIPAA compliance?

The rules and guidelines that protect health data are part of the “Health Insurance Portability and Accountability Act,” or HIPAA. Those rules protect patients and anyone else who might be in the business of holding health data. All of the language around HIPAA can be hard to parse through, you can read our full explainer on “What is HIPAA compliance?

The part of HIPAA that sets forth the circumstances under which private health information can be shared or accessed is called the Privacy Rule. Meanwhile, the Security Rule is the rule that requires safeguards on private information so that only those meant to have access actually do. 

The rules of HIPAA require that health plans, health care providers, and health care clearinghouses all follow both rules. Following those rules means implementing “reasonable safeguards” to protect patients. The best way to implement these safeguards will vary across different communication channels but we’re going to specifically discuss texting. 

How is texting HIPAA compliant? Are you illegally texting?

Texting personal health information with your patients from your private device is never HIPAA compliant. According to The Office of the National Coordinator for Health Information Technology, “Your organization may approve texting after performing a risk analysis or implementing a third-party messaging solution that incorporates measures to establish a secure communication platform that will allow texting on approved mobile devices.”

So when texting, you need to abide by HIPAA standards and take every measure you can to protect the personal information of patients. That personal information is referred to as electronic protected health information, or ePHI, and includes a long list of identifiable characteristics. 

Texting is HIPAA compliant when it’s done correctly and observes the security and privacy rules. That means you’ve obtained consent and you’re texting with a secure platform. Textline offers contact consent safeguards, you can be sure patient consent will be collected, documented, and stored. The process is completely HIPAA compliant from beginning to end. Textline works with companies that are trusted to handle customer data in a HIPAA compliant manner as well. The data is stored in a secure manner that includes encryption.

Any organization planning to use HIPAA compliant texting is required to get explicit consent from each patient they text. The standard consent request message your patients would receive is: “Org Name complies with HIPAA and wants to exchange text messages with you. Text messaging may not be fully secure. To consent, reply YES.” You can see an example of this consent request below.

Text message example f a standard HIPAA consent request message
The standard consent request message included with Textline.

That consent is a great way to help protect your business by obtaining and recording permission from patients and ensuring their security. Plus with Textline, you can easily see who in your office sent what communication and had access to conversations with patients. That tracking is part of the security needed to be HIPAA compliant.

How HIPAA compliant texting differs from messaging apps

Using HIPAA compliant texting offers you a direct line to your patient, right in their native texting app. Messaging apps can’t give you that. With Textline’s HIPAA compliant texting there’s no need to download a new app or have patients create any sort of profile or login. That means there are also fewer steps to communicating. 

With business texting, there’s no login necessary. Most of the time, in order for a messaging app to be allowed under HIPAA, it has to be done through an online portal on both the patient and the practitioner ends. That means doctors have to send patients a way to sign up, so they can know who is on the other end of the communication. This can be great, but it lacks the convenience that texting in a native phone app offers. 

Portals can be clunky. Patients have get a notification that they have a new message in the portal, then log in to see it before they can respond. This is all bypassed with texting making it even more convenient than using a patient portal.

How to make sure you’re legally texting your patients

Most of the time you’re texting with patients, you’ll probably be communicating ePHI and need to comply with HIPAA. There are few exceptions when you might not, like vague appointment reminders or when you’re pointing patients to online health portals.

The information you’ll need to be careful about sharing are identifiers that make health information protected under HIPAA, according to HIPAA Journal. They are as follows:

  • Names
  • Dates (except year)
  • Telephone numbers
  • Geographic data
  • FAX numbers
  • Social Security numbers
  • Email addresses
  • Medical record numbers
  • Account numbers
  • Health plan beneficiary numbers
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers including license plates
  • Web URLs
  • Device identifiers and serial numbers
  • Internet protocol addresses
  • Full face photos and comparable images
  • Biometric identifiers 
  • Any unique identifying number or code

Common ways HIPAA compliance is broken

Breaking HIPAA, either because of human error or a data breach, is fairly easy. One of the best ways you can be sure your communication is HIPAA compliant is by having the proper safeguards and protocols in place. Here are some common ways HIPAA is broken:

Texting from a personal phone: While texting can be HIPAA compliant when done right, it should never be done from any personal phone or device. Your patients will be using their personal devices, but you should ideally use a protected platform that requires a professional login.

Employees disclosing information: Employees discussing the personal information of patient’s is one of the most common ways HIPAA is broken. Employees can’t share patient information beyond what’s medically necessary in a private medical setting. With Textline you can see who your employees are messaging, any messages they share with other employees, and you can control who can see what. This gives you the control you need to know patient information is secure.

Employees accessing unauthorized info: Another common way HIPAA is broken is by employees accessing information they shouldn’t. Systems should be set up so that employees can only access the information they need access to. A way Textline can help safeguard against this is that you can control who had the right to access what information, and you can see a record of who’s accessed what.

Do you need to be HIPAA compliant while texting? 

The list above covers the health information protected under HIPAA. If any of those identifying features are included in the text you’re sending, then you need to be HIPAA compliant. There are cases when you might be communicating with a patient but without personal identifying information too. These texts have to be limited and require other forms of technology like a portal. They also have some risk to them because your patient might not answer.

The texts below that do not require any HIPAA compliance are those that mention no names, specific dates, procedures or other identifying information. Here are some examples of when you do, or don’t, need to be HIPAA compliant while texting. 

When you need to be HIPAA compliant while texting and when you don’t

The following texts are a great example of those a doctor’s office might send to patients. Those that show protected health information require HIPAA compliance. The following examples mention exact dates, procedures, and share test results, all of which as personal health information that needs to be protected. The texts that don’t need to abide by HIPAA compliance though don’t have that protected information included.

Examples of HIPAA-compliant and non-compliant text messages
The message on the left requires HIPAA compliance due to its inclusion of a specific date and reason for an appointment which is considered ePHI. The message on the right does not include such information.
Examples of HIPAA-compliant and non-compliant text messages
The message on the left requires HIPAA compliance due to its inclusion of test results, which are ePHI. The message on the right does not include any protected information and directs the patient to a portal.
Examples of HIPAA-compliant and non-compliant text messages
The message on the left requires HIPAA compliance as it mentioned stitches, which are ePHI. The message on the right does not require HIPAA compliance to send.

Remember, you can’t control what your patients send, and they might share private protected information. If you respond mentioning the tests by name, you’d need to be HIPAA compliant. You’d also need to be HIPAA compliant in storing any communication from a patient that includes protected information. So while your patient wouldn’t be violating their own privacy in sending a message with EPHI, your response, and how their message is stored would need to follow HIPAA guidance. 

Examples of HIPAA-compliant and non-compliant text messages
This example shows how a medical provider might be abiding by HIPAA rules by not including any ePHI, but the patient response on the right includes ePHI. You'd want to make sure this message was stored in a HIPAA compliant manner.

Texting your patients legally: The bottom line 

Texting your patients is useless unless you’re doing it legally. So making sure you’ve covered all your bases and have security every step of the way has to come before you ever even send that first text.

Your patients’s personal health information and their security is at risk, which isn’t something you or your employees should take lightly. The rules of HIPAA are in place for a reason and not following them could result in fines, jail time, loss of license, and at the very least loss of trust and business from your patients. 

Disclaimer: The information in this article is the opinion of the Textline editorial team and is not intended as legal advice.

HIPAA terms to know

Here are some of the terms to know around HIPAA:

HIPAA - Health Insurance Portability and Accountability Act, is the law that helps protect your health information and ensures that health care providers and clearinghouses keep your information secure and private.

Privacy Rule - The privacy rule covers who’s allowed to send and receive private medical information.

Security Rule - The security rule requires safeguards around electronic protected health info.

PHI - Protected Health Information is any medical record or data that could identify a person and is used when providing health care.

ePHI - Electronic Protected Health Information is a subset of PHI and its info stored maintained or transmitted electronically

Covered Entity - This is what HIPAA was originally designed for and it includes plans, billing or health info systems, dr offices dentists, home nurse care, etc

Business Associates - Any vendor or subcontractor that handles protected health info in service of the covered entity

Breach Notification Rule - The rule that states how and why organizations that break HIPAA have to notify those who were affected.

BAA - Business Associate Agreement is the agreement between an outside party and a covered entity. 

Start texting now

Sign up for a free 14-day trial today
Get Started
No credit card required