Recent research has shown that patients view secure messaging as a valuable way to interact with their providers when it is convenient for them and as a way to have a record of those conversations. HIPAA compliant text messaging involves implementing encryption and access controls to safeguard protected health information (PHI), obtaining patient consent for text communication, and refraining from including PHI in standard SMS messages.
HIPAA permits texting patients about appointments. According to the HHS, "appointment reminders are considered part of treatment of an individual and, therefore, can be made without an authorization."
Related: Best practices for HIPAA compliant appointment notifications
Based on HIPAA rules, standard text messages cannot be used to send PHI like test results as they lack encryption. Alternative secure methods should be used to deliver test results, such as HIPAA compliant emails or messaging apps that comply with HIPAA regulations.
If a patient sends PHI via text message, do not respond with PHI. Instead, promptly inform the patient that PHI cannot be discussed over text due to security and privacy concerns. You can then suggest a secure communication method to ensure the confidentiality and integrity of the patient's PHI.
Obtaining patient consent for text message communication is a HIPAA requirement and this consent can be obtained through an opt-in option during registration, where patients have the opportunity to indicate their preference for receiving text messages. Additionally, healthcare providers can use a clear consent form that explains the risks and benefits of text message communication under HIPAA regulations.
Read more: Obtaining patient consent for text message communication
All employees handling PHI via text messaging are subject to HIPAA regulations. Healthcare organizations must provide comprehensive HIPAA training for employees to ensure understanding and compliance with HIPAA rules when communicating via text messaging.
Text messaging can be used for general healthcare marketing purposes. However, ensure that messages do not contain PHI. Healthcare organizations should exercise caution to avoid including PHI in marketing communications via text messaging.
Storing text messages containing PHI on personal devices may lead to potential HIPAA violations. Refrain from storing PHI on personal devices, as these devices may lack adequate security measures to protect sensitive patient information. Instead, implement secure, authorized systems for storing and accessing patient information.
Related: Is sharing PHI on personal devices safe?
Automated text messaging systems can be used for appointment reminders or follow-ups, provided that appropriate safeguards are in place to protect patient privacy and security. HIPAA compliant automated systems should ensure encryption, access controls, and audit trails for compliance.
Healthcare providers should conduct regular risk assessments to evaluate the effectiveness of their text messaging practices in maintaining compliance with HIPAA regulations. These assessments should be done periodically or in response to changes in technology or organizational practices to identify and address potential security vulnerabilities.
Prioritize respecting patient preferences regarding communication methods, including text messaging, and offer options for opting out of text message communication if requested. Document patient preferences accurately within their health records to ensure compliance with HIPAA regulations and maintain patient trust.