How can Providers send HIPAA Compliant Texts?
Using traditional SMS text messaging is not in violation of HIPAA when the message does not contain PHI.
HIPAA does not prohibit texting. There is no rule prohibiting healthcare providers from texting appointment reminders, missed appointment notices, etc. to patients. In fact, HIPAA does not even mention texting.
Healthcare providers must have adequate safeguards to ensure the privacy of patients’ Protected Health Information (PHI) – this is true for ALL forms of patient communications.
Autodialed or pre-recorded reminder calls or texts to wireless numbers require express consent from the patient, but the consent may be either oral or written. If pre-recorded calls or texts contain marketing information or past-due notifications, then consent must be written.
Providers may state in their privacy policies that appointment reminders, etc. may be sent by voice message or text message and may obtain consent at the time of providing the notice of privacy policies.
Follow these best practices to remain HIPAA compliant when texting patients:
- Verify patients’ contact information on each visit to assure that reminders are sent to the correct number.
- When verifying a patient’s wireless number, specifically state that it may be used for calling or texting reminders.
- Include a statement on your patient information or intake form stating that if a patient provides a wireless number, the patient agrees to its use for calling or texting reminders. Provide a box on the form for patients to check if they prefer to opt out of reminders by voice or text.
- Quickly honor all patient requests that reminders not be sent to their wireless phones.
- Use the minimal amount of information necessary in a message to minimize the risk to patient privacy if the message reaches the wrong person.