When patients miss their scheduled therapy appointments, they are also missing out on key opportunities to make progress. These situations also ultimately end up costing providers time and money.
Sending therapy session reminders is a valuable way for therapists to reduce the frequency of no-shows, enhance relationships with patients, and make their operations more efficient.
But are these reminders considered protected health information (PHI)? Here is what you need to know about keeping your therapy session reminders HIPAA compliant.
All therapists who submit electronic billing are considered covered entities under HIPAA. This means they are required to put security policies in place that safeguard patients’ PHI.
PHI refers to all identifiable health information such as demographics, test results, medical history, and any other data that is used to provide healthcare services. Therefore, appointment reminders do classify as a form of PHI.
The HIPAA Privacy Rule allows covered entities to use and disclose PHI for treatment, payment, and other healthcare operation purposes. Since appointment reminders are considered part of treatment, therapists are permitted to send them without needing authorization.
Although therapists are allowed to issue appointment reminders under HIPAA, the content of the message matters.
Whether therapy session reminders are sent via email, text, or voicemail, it is important to consider that someone other than the intended recipient may view it.
For instance, family members or colleagues might have access to a patient’s voicemail system. There is also the risk of stolen mobile devices and hacked email.
In order to prevent a privacy violation, therapists should limit the amount of PHI included in appointment reminders as a precautionary measure. This means excluding details on the patient’s condition, appointment notes, treatment plans, and test results.
Instead, aim to keep information as generic as possible. Focus on the essential details such as the patient name, meeting date and time, practice name, and contact number. Use the name of the physician in your reminder, rather than naming their particular specialty.
Make sure to inform patients that you will be sending appointment reminders ahead of time and offer the chance to opt out if they wish. This transparency is especially important when messages are distributed through a non-secure platform, as patients need to be aware of those risks.
In addition, ask patients to keep you informed of any phone number or email address changes to prevent sensitive information from getting in the wrong hands.
While proactively limiting information from therapy session reminders can help safeguard patient data, human error is inevitable. A smarter approach is using a HIPAA compliant email solution or scheduling software from the start.
When using any type of third-party platform to send automated appointment reminders, ensure you are obtaining a business associate agreement (BAA). This document outlines the responsibilities of the service provider in protecting ePHI.
Other capabilities to look for include encrypting data at rest and in transit, limiting access to authorized users, and offering the opportunity to customize privacy settings based on your unique needs.
Therapy session reminders are considered PHI under HIPAA. Therefore, certain safeguards must be implemented to protect patient privacy.
By leaving out identifying details and using HIPAA compliant software, therapists can issue therapy session reminders as securely as possible.