Text messaging is a convenient way for healthcare providers to keep patients up-to-date on their care. However, failing to implement the appropriate security controls can put patients’ sensitive data at risk. This includes obtaining the necessary permissions to receive this type of communication.
Here is what you need to know about the HIPAA rules for patient consent.
In order to send text messages that contain protected health information (PHI), covered entities must obtain a patient’s written consent. Skipping this initial step is considered a HIPAA violation.
Some examples of situations that warrant consent include sending billing information, following up after a procedure, or requesting a patient’s insurance details via text message.
Once permission is captured, healthcare practices must keep a record of patients’ written authorization. This might be a physical copy of a signed document or a timestamp of completion for digital files.
The best time for healthcare providers to get patients’ permission to send text messages is during new patient registration. This can be accomplished with a text messaging consent form. The consent request must clearly state that the patient agrees to be communicated with in this manner. Also, thoroughly explain what information they can expect to receive.
For instance, will texts only consist of basic reminders, or will they include news and updates on your practice as well? Be specific when outlining the full scope and purpose of texting patients.
In addition, let patients know they have the right to opt out of text messages at any time and provide detailed information on how to do so.
Finally, be transparent about the risks of unauthorized access and emphasize the importance of keeping mobile devices password-protected.
Consent is just one piece of sending HIPAA compliant text messages. Covered entities must also establish specific guidelines for texting patients and reinforce these to employees.
Include information on when texting is acceptable and what can be shared in this manner. Educate staff members on secure texting practices, the potential repercussions of insecure texting, and how to recognize suspicious activity. This helps reduce the chance of data security incidents.
In addition, text messages should adhere to the Minimum Necessary Standard. Leave out any sensitive information from texts unless it is absolutely essential to the message’s purpose. Instead, use texting for general communication, such as quick reminders and appointment scheduling.
The HIPAA Security Rule requires healthcare providers to establish access controls that limit PHI access to employees who need it for their roles and audit controls that determine what can be done with this information. Encryption is also required to secure PHI at rest and in transit.
These robust features are not available through standard texting platforms. Therefore, the safest approach is to sign a business associate agreement (BAA) with a HIPAA compliant app. A BAA outlines the business associate’s obligations to protect patients’ data.
Under HIPAA, covered entities must obtain a patient’s written authorization before sending text messages that include PHI.
Related: The guide to HIPAA compliant text messaging