HIPAA compliant text message campaigns for health and wellness reminders

Healthcare organizations can send HIPAA compliant text message campaigns for health and wellness reminders when the messages are related to patient care, such as appointment reminders or general health tips, and do not include sensitive health information without patient authorization. Organizations must obtain proper patient consent, use secure messaging platforms with encryption, limit the use of PHI, and provide an easy opt-out mechanism to ensure compliance. When the message involves marketing or promotes third-party services, written patient authorization is required before sending.

HIPAA compliance for text messaging

HIPAA places guidelines on how healthcare organizations handle protected health information (PHI), including in electronic communications like text messages. According to the HHS, "Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number)." When sending text messages containing PHI, organizations must safeguard this data by using secure communication platforms, obtaining patient consent, and limiting the amount of personal information included in the message.

When text message campaigns are allowed

Healthcare organizations can send text messages that support patient treatment and care coordination without needing additional patient authorization. For example, reminders about upcoming appointments, medication refills, and annual checkups are part of routine patient care. They can be sent as long as security measures are in place.

Health promotion messages, such as reminders about vaccinations, health screenings, or tips for managing chronic conditions, are also generally allowed. These messages are considered part of treatment, especially when directly related to patient care, and do not involve third-party services.

When does a wellness reminder count as marketing?

"The Privacy Rule defines “marketing” as making “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.”. If a wellness reminder promotes a specific product, service, or third-party company, such as recommending a particular fitness program or dietary supplement, it qualifies as marketing. In these cases, organizations must obtain written patient authorization before sending the message.

When and why patient authorization is required

In cases where the text message could be considered marketing, patient authorization is required. This written consent must clearly state what type of messages the patient agrees to receive and how their information will be used. For example, if a wellness reminder includes a promotion for a new healthcare service or partnership with an external provider, patient authorization is required.

Organizations should have a simple, clear process for obtaining consent, either through patient intake forms or through a double opt-in process for text messaging services.

Related: How to get consent for texting and emailing patients

Practices for HIPAA compliant text campaigns

• Obtain proper patient consent: Ensure patients provide written consent before receiving text messages when sending marketing-related content.
• Limit PHI: Keep the content of your messages general and avoid including any sensitive health details unless necessary.
• Use secure communication: Choose a text messaging platform that is HIPAA compliant. It must offer encryption, secure storage, and audit trails to protect patient data.
• Opt-out mechanism: Patients must have an easy way to opt out of receiving messages. Include simple instructions in each message on how to stop receiving texts.
• Sign a business associate agreement (BAA): If you use a third-party service to send text messages, ensure there is a signed BAA in place.
  
  

FAQs

Can I send campaigns through regular SMS services?

No, healthcare organizations should use HIPAA compliant text messaging platforms to send campaigns, as regular SMS services do not provide the necessary encryption and security features.

Do healthcare organizations need to notify patients if a breach occurs in text message communication?

Yes, under HIPAA’s breach notification rule, organizations must inform affected patients and report the breach if PHI is exposed due to insecure messaging or other failures.

Can wellness reminders include links to external health resources?

The links should not lead to third-party services that promote products unless the patient has provided written authorization for marketing purposes. The link must also be to secure, trusted sources.