How can Providers send HIPAA Compliant Texts?
Using traditional SMS text messaging is not in violation of HIPAA when the message does not contain PHI.
HIPAA does not prohibit texting. There is no rule prohibiting healthcare providers from texting appointment reminders, missed appointment notices, etc. to patients. In fact, HIPAA does not even mention texting.
Healthcare providers must have adequate safeguards to ensure the privacy of patients’ Protected Health Information (PHI) – this is true for ALL forms of patient communications.
Autodialed or pre-recorded reminder calls or texts to wireless numbers require express consent from the patient, but the consent may be either oral or written. If pre-recorded calls or texts contain marketing information or past-due notifications, then consent must be written.
Providers may state in their privacy policies that appointment reminders, etc. may be sent by voice message or text message and may obtain consent at the time of providing the notice of privacy policies.
Follow these best practices to remain HIPAA compliant when texting patients:
- Verify patients’ contact information on each visit to assure that reminders are sent to the correct number.
- When verifying a patient’s wireless number, specifically state that it may be used for calling or texting reminders.
- Include a statement on your patient information or intake form stating that if a patient provides a wireless number, the patient agrees to its use for calling or texting reminders. Provide a box on the form for patients to check if they prefer to opt out of reminders by voice or text.
- Quickly honor all patient requests that reminders not be sent to their wireless phones.
- Use the minimal amount of information necessary in a message to minimize the risk to patient privacy if the message reaches the wrong person.
What is HIPAA Compliant Email?
The HIPAA Privacy Rule created, for the first time, a set of national standards for the safeguard of certain health information. It allows Covered Entities to disclose PHI to a Business Associate if they receive assurances that the Business Associate will use the information only in the scope of which it was engaged by the Covered Entity.
The HIPAA Security Rule was added to set out what safeguards must be in place to protect electronic PHI (ePHI), which is health information that is held or transferred in electronic form.
In regards to email, this means that covered entities are required to take reasonable steps to protect PHI from their computer and as it’s transmitted electronically, all the way to the recipient’s inbox.
If you are using a third party to transmit or host PHI, they are required by law to sign a Business Associate Agreement(BAA) with you. The BAA establishes that certain administrative, physical and technical safeguards are in place.