10 Do’s and Don’ts of HIPAA-Compliant Texting 
Posted by | Last updated: | Featured

Introduction

Texting, by default, is NOT HIPAA-Compliant. You must have heard this plenty of times, especially if you’re in the healthcare field. You’d also be aware of the penalties that follow if you breach the HIPAA rules. As a healthcare professional, not only do you need to provide the best possible care to your patients, but you also need to ensure that all sensitive patient data is safely stored and transmitted. How do you do that? Well, here’s a complete account of the top do’s and don’ts of HIPAA-compliant messaging for you to help make informed decisions. Keep reading for some interesting insights! 

What Makes Texting HIPAA-Compliant

If you want to utilize texting to communicate with your staff and patients, you need to be aware of the hipaa rules regarding text messaging. Here are some crucial elements that make texting HIPAA compliant:

  1. End-to-end encryption: All messages need to be end-to-end encrypted, both at rest and in transit. This level of security will prevent any unauthorized access.  
  2. Business Associate Agreement: There must be a BAA signed between the covered entity and the business associate to access and handle ePHI. 
  3. Access controls: HIPAA rules regarding text messaging says that all physical, technical, and administrative safeguards must be in place to protect ePHI from any unauthorized access. 
  4. Secure text messaging platforms: Any healthcare provider transmitting or storing sensitive patient information must make sure to use HIPAA-compliant secure text messaging platforms like Emitrr to ensure safe transmission. 
  5. Audit trails: There must be detailed HIPAA audit logs of everyone who accessed ePHI and modified it; to detect any unauthorized access of information and ensure accountability.  

Now that we have discussed what elements make texting HIPAA-Compliant, it is time to understand what you can or cannot send while texting your patients and staff. 

What Can & Cannot Be Consider HIPAA-Compliant While Texting

Things you can send

Assuming that you’re using a secure text messaging platform, here’s what you can send: 

  1. Appointment reminders: You can send SMS reminders to your patients with very generic details. You can remind them over SMS about their appointment, without disclosing any details about their diagnosis or treatment. Check out a few templates here – HIPAA-Compliant SMS templates
  2. Appointment confirmations: As per HIPAA regulations, when a patient books an appointment, you can send them a message saying that their appointment has been confirmed. Make sure to disclose no treatment-specific information over SMS while sending appointment confirmation texts
  3. Holiday greetings: Sending out birthday or holiday greetings is completely fine. Just make sure that your messages meet the opt-in requirements. 
  4. General updates: If you need to communicate any information regarding changes in your operating hours or send out emergency alerts, you can text your patients. Ensure that these messages do not include any patient information. 
  5. Educational information: If you want to educate your patients in general about certain best practices, you can do that. All you need to ensure that it is not connected to any particular condition. 
  6. Review requests: Once a patient’s treatment is done, you can send out SMS review requests to them to get their feedback. 

Things you cannot send

Here are some things you cannot send irrespective of whether you’re using a HIPAA-compliant software or not: 

  1. Specific treatment plans: As per HIPAA regulations, cannot send any information related to the treatment course of a patient as it can land you in trouble. If you want to discuss the plans with the patient or their caregivers, it is best to discuss it in person.  
  2. Insurance information: Any information related to insurance is prone to unauthorised access and hence shouldn’t be shared over SMS.  
  3. Detailed information about mental health diagnosis: Any details about the diagnosis and treatment of mental health of a patient shouldn’t be discussed over text.  
  4. Information on lab results: Lab results are again very sensitive PHI and should be handed over and discusses with patients in person.  
  5. Social security numbers: Sharing such a highly sensitive piece of information falls directly under non-compliance and can attract an audit and heavy penalties. Avoid transmitting such information over SMS and adhere to HIPAA regulations. 
  6. Basic patient details: Do not share patient details like their address and contact number over text, to prevent unauthorized access.  
  7. Medical history: Any patient’s medical history is highly sensitive piece of information. Make sure to not share or disclose it via text. 
  8. Medication details: If you want to send out medication refill reminders via SMS, you can do that without disclosing specific details. 
  9. Notes on patient diagnosis and progress: Do not send any details on patient diagnosis or progress notes via SMS.  

Having discussed what’s HIPAA-compliant and what’s not, let’s now move on to the do’s and don’ts of HIPAA-compliant messaging. 

HIPAA-Compliant Texting Checklist

Do’s of HIPAA-Compliant Text Messaging

Use a HIPAA-compliant texting platform

If you want to communicate with your patients securely, sign up with a HIPAA-compliant secure messaging platform. Emitrr is a popular HIPAA-compliant messaging service that follows the minimum necessary rule of HIPAA, ensuring only essential information is shared while keeping patient data secure and automating communication seamlessly.

Always get informed and written patient consent before you start communicating with your patients. 

Train your staff

Train your staff on the HIPAA rules, violations, and penalties thoroughly so that they can send text messages in a compliant manner. Share HIPAA compliance examples with them so that they know what minimum necessary rule of HIPAA they need to follow.

Always use secure links

If you need to communicate any detailed or urgent information, make sure to do so through secure links in accordance with HIPAA guidelines to protect patient data and maintain compliance.

Have clear hipaa texting policy in place

Make sure to establish clear HIPAA texting policies within your organization regarding what kind of information can or cannot be shared via SMS, following the minimum necessary rule of HIPAA to ensure only essential patient details are disclosed.

Don’ts of HIPAA-Compliant Text Messaging

Do not use insecure platforms

Do not use generic texting platforms for messaging patients. Any platform that doesn’t encompass encryption shouldn’t be used as a messaging tool. According to HIPAA guidelines, using unsecured platforms can lead to severe penalties and even legal action.

Do not leave your phone or texting device unlocked

Sensitive PHI shouldn’t be stored or transmitted through mobile devices. If you are sending messages through your mobile device, make sure that you are sending that through a secure app for text messaging and don’t leave your phone unattended or unlocked. 

Do not include sensitive information in texts

Any information that you want to communicate should be as basic as possible. Encourage your patients to discuss important details like diagnosis, treatment plans, insurance details with you in person. 

Do not share documents without encryption

Ideally, you shouldn’t share documents over SMS. Even if you do, make sure that the documents are password-protected and do not contain any private information about the patient, in line with HIPAA guidelines for safeguarding Protected Health Information (PHI).

Do not skip regular risk assessments

Risk assessments are a great practice to undertake if you have to deal with ePHI on a regular basis. Such assessments will ensure compliance and keep you away from legal action and penalties. 

Thanksgiving Wishes Free SMS Templates

Frequently Asked Questions

What are the HIPAA rules regarding text messaging patients?

A few hipaa rules regarding text messaging patients include:
1. Limit access to PHI in text messages; share access only with authorized personnel. 
2. Make sure that each person has unique login credentials to access PHI. 
3. Activate automatic logoff after a certain period of inactivity. 

How to send a HIPAA-compliant message? 

1. Choose a HIPAA-compliant texting software like Emitrr 
2. Sign a Business Associate Agreement 
3. Do not send messages to patients without their explicit consent 
4. Have all documents password protected 
5. Have regular risk assessments to stay compliant
6. Train your employees about HIPAA compliance 
7. Keep detailed audit logs about information storage and transmission
8. Follow the HIPAA minimum necessary rule while sending messages 

What is the most common HIPAA violation?

1. Not implementing the required administrative, physical, and technical safeguards to protect patient information
2. Sending patient information to the wrong recipients mistakenly
3. Not conducting regular risk assessments 
4. Not having BAAs in place with third-party vendors 
5. Not training employees on HIPAA procedures and policies 

What are the penalties for violating HIPAA? 

1. Your organizations might be required to take corrective actions, depending on the degree of the violation 
2. For severe violations, you might land hefty fines and even jail time
3. If you constantly violate HIPAA laws, you might lose your medical license 

Conclusion

All in all, if you’re a healthcare provider, HIPAA is something that you need to take very seriously. The aforementioned do’s and don’ts will help you stay compliant with HIPAA rules and regulations. If you’re looking forward to communicating with your patients over text and are looking for a HIPAA-compliant platform, then Emitrr is what you need. Book a demo to see how it fits your use case. 

Note: This blog is only for informational purposes. 

Comments are closed.