The Health Insurance Portability and Accountability Act (HIPAA) is the core rule that applies to communication with patients. If you’re a covered entity looking to understand what rules apply to HIPAA text messaging, you’re in the right place.
This blog will dive into the seven core HIPAA texting rules to ensure your SMS strategy is compliant.
Use a secure SMS platform
Text messaging from a personal device is not HIPAA compliant. That’s because standard texting apps don’t have the proper technical safeguards to protect patient data. Instead, you must use a HIPAA-compliant text messaging platform, like Textline. These platforms have core security measures such as:
- Data encryption to protect PHI in the system
- User access controls to prevent unauthorized logins
- Secure data storage in cloud environments
- Control over data retention for audits
Sign a BAA
If a covered entity is working with a software vendor that may handle or gain access to any personally identifiable information they must sign a Business Associate Agreement (BAA).
These agreements establish a legally binding relationship between covered entities and their business associates to ensure PHI is protected. The agreement essentially assures that both parties are doing everything in their best ability to safeguard data, will follow escalation procedures in the event of a breach, and outlines shared liability.
Get patient consent to text
If we could pick a pillar rule for HIPAA compliant text messaging, it is this. Any healthcare covered entity must get explicit permission to text their patients. Within this permission text, they must state the risks of text messaging. This permission to text ensures HIPAA compliance.
Once you have this permission from patients, it is okay for you to message about PHI and text back and forth with patients.
For example, here is the message that Textline’s HIPAA clients send to their patients to collect consent.
Maintain an audit trail
HIPAA regulations require the tracking and auditing of data access. This means you must be able to prove which employees logged into the texting platform to potentially view any PHI. You should also maintain a repository of patient consent messages, which can help protect you from liability.
These are just a few more reasons why healthcare organizations need a HIPAA compliant SMS platform.
Use access controls
Each user of your texting platform should have a unique login to better track access. In addition, other user access controls should be in place, such as multi-factor authentication, automatic logouts, single sign-on, and unique permissions. These prevent unauthorized individuals from accessing the account.
Textline, for example, requires MFA, automatically logs out inactive sessions, and allows healthcare providers to set unique data access permissions for each individual, and even redacts sensitive data.
Use the minimum necessary standard
This HIPAA rule requires covered entities to make reasonable efforts to limit access to protected health information. The requirement states that healthcare providers should make reasonable efforts to limit the use, disclosure of, and requests for protected health information to the “minimum necessary to accomplish the intended purpose.”
This means that if a patient is simply requesting information about their appointment time, you should reply just to that inquiry, vs. stating everything about the upcoming appointment.
Additionally, texting patients a link to log into an online patient portal is a great solution for meeting the minimum necessary standard.
Set internal policies and procedures
The HIPAA Security Rule requires covered entities and business associates to implement administrative, physical, and technical safeguards to protect electronic PHI. As a result, covered entities must have some internal and administrative policies in place to ensure texting stays compliant.
You should establish:
- Acceptable use policies. These policies should outline what types of information can be shared via text, which items you should share via a secure portal, and rules about forwarding messages.
- Text retention and archiving policies. Understand how long you want to retain text messages and when they should be archived.
- Access control safeguards. Ensure that employees don’t use shared logins, log out each time they step away from the computer, and have MFA set up.
- Security awareness trainings. Ensure that you have a plan in place to regularly teach your employees about the risks and scams out there. This ensures that they are equipped with the knowledge to protect themselves and the organization.
Textline is the secure SMS platform you’ve been looking for
Overall, those are the core HIPAA rules regarding texting. If you’re looking for a secure texting solution, Textline should be on your shortlist of platforms to explore.
Textline has everything you need to make texting in a HIPAA-compliant manner possible. We offer:
- A patented patient consent to text process
- Full end-to-end data encryption
- Required technical safeguards like data encryption, MFA, and user access controls
And best of all, Textline doesn’t require patients to download a separate app – all they need is their cell phone.
Ready to see how Textline can help transform your patient communication strategy? Create a free account now.
