HIPAA compliant text messaging

Introduction

Communication in healthcare has witnessed quite an evolution over the years, with texting becoming the most preferred mode of communication for patients and providers alike. Texting is convenient, affordable, has better reach, and is immediate; which is why it is the first choice for 95% of Americans. While texting does have its share of benefits, it also brings along some challenges pertaining to sharing, disclosing, and protecting information. While dealing with sensitive patient information, providers need to be extra careful, to ensure that they do not violate the HIPAA guidelines. 

Due to the digitally inclined systems and processes, HIPAA-compliant texting has become the need of the hour for all healthcare professionals and organisations. Protecting the rights of the patients and safeguarding their personal information is as important as delivering exceptional care. Any negligence on that front not just attracts legal troubles but also breaks the trust between you and your patients. 

In this article, we will talk about everything you need to know about HIPAA-compliant texting, including its importance, use cases, rules, and best practices.

What Does It Mean To Be HIPAA Compliant?

The term HIPAA stands for Health Insurance Portability and Accountability Act of 1996. This act outlines the federal rules and regulations pertaining to the way organisations must use and disclose Protected Health Information.

These HIPAA standards are regulated by the Department of Health and Human Services and enforced by the Office for Civil Rights (OCR).

To be HIPAA compliant means that both Covered Entities and Business Associates must adhere to the HIPAA guidelines; particularly the administrative, technical, and physical safeguards. 

HIPAA Rules: A brief overview

HIPAA outlines three rules related to PHI: 

#1: The HIPAA Privacy Rule: This rule establishes standards for protecting the patient’s sensitive health information. It requires the implementation of appropriate safeguards and conditions for the use and disclosure of PHI (For example: Getting explicit patient consent). It also outlines the patients’ rights to review their health records and suggest corrections, if any. 

#2: The HIPAA Security Rule: This rule outlines the national standards for protecting the patient’s ePHI that is obtained and used by a Covered Entity. It sets comprehensive and scalable standards for safeguarding ePHI which are as follows: 

  • Administrative safeguards: Developing policies and procedures for security standards, training, access management, and contingency plans. 
  • Technical safeguards: Automated processes such as audit controls, access control, authentication controls, and encryption/decryption to protect ePHI. 
  • Physical safeguards: Having mechanisms in place to protect electronic systems, equipment, and buildings, from any threats.  

#3: The Breach Notification Rule: This rule requires that both Covered Entities and Business Associates send notifications as a result of a breach of PHI. It could be any unauthorised acquisition, use, or disclosure of PHI.    

Who needs to be covered under HIPAA? 

There are two parties involved in HIPAA: the Covered Entities and Business Associates. Before we move any further, let’s understand what each of these terms means. 

Covered Entity (CE): A covered entity is any party that is involved in electronically transmitting health information of patients for transactional purposes such as insurance coverage and billing services. A covered entity could be a person, an institution, or an organisation. Here are some examples of covered entities:

  • Healthcare providers 
  • Healthcare organisations
  • Healthcare clearinghouses 
  • Health insurance companies 

Business Associate (BA): A Business Associate is a person or an entity who manages the transmission and disclosure of PHI or ePHI on behalf of the covered entity, in compliance with the HIPAA rules and regulations. A HIPAA-Compliant texting app like Emitrr is an example of a Business Associate. 

For the safe transmission of ePHI between the CE and the BA, both parties need to sign a Business Associate Agreement (BAA) that outlines the responsibilities of each party with respect to handling PHI.

HIPAA requires that Covered Entities only work with Business Associates to ensure the protection of health information. Here is an example of a BAA: https://www.hhs.gov/sites/default/files/model-business-associate-agreement.pdf

Why Should You Care About HIPAA Compliance?

Before we talk about compliance, let’s first address the importance of texting as a communication medium.

Sending out text messages is a common practice among healthcare providers. It enables continuous connectivity and engagement between healthcare providers and their patients.

The growing preferences of customers have made businesses (healthcare providers and practices in particular) rise to the occasion and curate communication and engagement strategies around text messaging.

They’ve implemented text messaging into their strategies and have seen the following results:

  • More effective doctor-patient communication
  • Lesser no-shows and cancellations
  • Reduced costs
  • High open rate and response rate
  • Lesser call volume
  • Improved patient engagement and experience rates
  • Better patient outcomes
  • More connected at every step of the patient journey

Right from booking appointments to accessing records, from sending medication reminders to making payments, texting has become a preferred and convenient form of communication.

A major reason for this shift can be attributed to the Coronavirus pandemic, which led to 80% more text conversations than before, thereby leading to more focus on patient-centred care.

While an average phone call lasted about 8 minutes, a text message could be sent within seconds. In the race of texting vs calling, texting wins. 

Though there were other forms of communication, such as patient portals, EHRs, and emails; text messages were still preferred because of their speed, ease of use, and simplicity.

Here’s a comparison between texting and other forms of communication such as calling, patient portals, and emails, to help you understand why texting is outshines the rest:

Text messaging platforms vs patient portals

 

BASIS OF DIFFERENCE

PATIENT PORTALS 

TEXT MESSAGING PLATFORM 

Security 

A secure platform to share and store sensitive patient information

Isn’t HIPAA-Compliant by default, but can be made by using a HIPAA-texting app

Ease of communication 

Difficult to communicate 

Easy communication 

Ease of use 

Difficult to use, especially for non-tech-savvy people

Easy to use for everyone 

Use cases 

  • Receiving lab results 

  • Renew prescription medications 

  • Access medical records 

  • Automated reminders 

  • Group texting 

  • Patient Surveys 

  • Patient recall 

  • Digital patient intake 

Login 

Extensive login 

Minimal and easy login 

Text messaging platforms vs phones

 

BASIS OF DIFFERENCE

PHONES

TEXT MESSAGING PLATFORM 

Managing communications

Can communicate with one patient at a time 

Can manage multiple conversations at a time

Ease of communication 

Difficult to communicate in case of disruptions  

Easy communication 

Ease of use 

Good for detailed conversations

Good for instant communication

Availability 

Calls can get missed 

All messages can be responded to

Compliance  

Compliance depends on the nature of the call, and the fact that the patient has given their consent

HIPAA-Compliant (depends on platform)

Text messaging platforms vs emails

 

BASIS OF DIFFERENCE

EMAIL

TEXT MESSAGING PLATFORM 

Open rate

5%

95%

Response rate

10%

45% 

Ease of communication 

Difficult to communicate due to low response rate 

Quick and easy communication 

Ease of use 

Good for detailed conversations

Good for instant communication

Connectivity 

Need internet connectivity 

Can communicate anywhere, anytime with cell phone reception

Compliance  

Not HIPAA compliant 

HIPAA-Compliant (depends on platform)

What Happens When You Don’t Meet HIPAA Compliance?

Now that you know what messages are considered as compliant and non-HIPAA compliant, you can easily ensure that the texts you send don’t violate the HIPAA guidelines. If they do, you’d be under the radar of HHS and will be fined depending on the degree of non-compliance. As per the HIPAA Journal, there are four penalty tiers that define the level of violation and associated penalties. Here’s a glimpse of the same: 

 

Penalty Tier

Level of violation 

Minimum penalty 

Maximum penalty 

Tier 1 

Lack of Knowledge

$127

$63,973

Tier 2

Reasonable Cause

$1,280

$63,973

Tier 3

Willful Neglect 

$12,794

$63,973

Tier 4

Willful Neglect not corrected within 30 days

$63,973

$1,919,173

Did you know?

In the year 2019, American Medical Collection Agency (AMCA) failed to comply with HIPAA regulations and couldn’t protect the sensitive healthcare information of its patients. The deficiencies in information security led to a data breach, which exposed the personal health information of about 20 million individuals. The breach invited an extensive investigation and made the organisation liable for $21 million as a penalty. 

To keep a safe distance from the penalties due to non-compliance, you need to enforce HIPAA texting. As a healthcare provider, it is your duty to protect sensitive PHI from any unauthorised access and implement the required safeguards to keep it secure.

If you don’t keep the data secure, if you don’t safeguard sensitive patient information, you’re making that information subject to a data breach. We all know what happens in the case of a data breach and what are the consequences that follow. 

Examples Of HIPAA-Compliant vs NON-HIPAA-Compliant Text Messages

Here’s a table that differentiates messages that are categorised as HIPAA compliant and NON HIPAA complaint: 

 

TYPE OF MESSAGE 

NOT HIPAA-COMPLIANT 

HIPAA COMPLIANT

Appointment reminders 

“Hey David, this is a reminder for your dental cleaning scheduled for tomorrow at 2 pm with Dr. Smith. – Team Smile.” 

“Hey, this is a reminder for your appointment scheduled for tomorrow 2 pm with Dr. Smith. – Team Smile.”

Appointment confirmation

“Hey Maria, you have an appointment scheduled with Dr. Ken at 2 pm today. Please type C to confirm.”

“Hey, you have an appointment today at 2 pm with Dr. Ken. Please type C to confirm.”

Updates regarding test results

“Hey Karen, your test results are ready! Please click on this link to access them – <link>.”

“Hey, your test results are ready! Please login to your patient portal to access them.” 

Requesting insurance information

“Hey Liam, we need you to send us your insurance details. Can you please share the name of the insurance provider and your SSN?” 

“Hey, we require your insurance details. Please login to your patient portal and enter the required information.” 

Payment reminder 

“Hey Chris, this is a reminder that your payment of $24.55 is due. Please click on this link to make the payment.” 

“Hey, this is a reminder that your payment is due. Please call the clinic to settle the same.” 

Requesting a review 

“Hey Harry, we hope you had a positive experience with us. Please leave a review by clicking on this link.” 

“Hey, we hope you had a positive experience with us. Please leave us a review here- <link>.”

Prescription reminder 

“Hey Mike, this is a reminder that your Insulin prescription is due for a refill. Please contact the office for the same.” 

“Hey, this is a reminder that your prescription is due for a refill. Please contact the office for the same.” 

The messages in the first column are not HIPAA compliant due to the following reasons: 

  • All messages contain the first names of the patients 
  • The reminder message includes the exact name of the treatment that the patient is set to undertake, which is not necessary
  • The message for the test results is okay but it also includes the link for the patient to access the results. Such sensitive information shouldn’t be accessible by a link sent via text
  • The insurance information is being asked via text, which makes it non-HIPAA-compliant 
  • The review request also contains the name of the patient, which is not necessary 

Templates For HIPAA-Compliant Texting

Here are some ready to use templates for you to seamlessly communicate with your patients. 

Appointment reminder 

Hey, this is a gentle reminder for your appointment with Dr. Ryan which is scheduled for tomorrow 2 pm. Please reach 15 minutes prior to your appointment. Please reply C to cancel your appointment. – Team ABC

Appointment confirmation

Hey, you have an appointment scheduled for 26th March, 2023 with Dr. Josh at 2 pm. Please type C to confirm and R to schedule the appointment. – Team XYZ 

Prescription refill reminder 

Hey, this is a reminder that your medication is due for a refill. Please contact the front desk for the same. – Team ABC 

Payment reminder 

Hey, this is a reminder that your payment is due. Please contact the office for the same. – Team XYZ 

Informing about test results 

Hey, your test results are ready! Please click on this secure link to view them. – Team ABC 

Asking insurance information 

Hey, we need your insurance details. Please login to your patient portal and update the same. – Team XYZ 

Patient recall

Hey, you are due for an annual health checkup in two weeks. Please reply to this message if you wish to schedule an appointment. – Team ABC 

Filling out an online form

Hey, before we proceed with the diagnosis and treatment, we’d like you to fill out an online patient intake form to understand your health condition and provide the best possible care. Please click on this link to access the form: <link>. – Team XYZ 

Follow-up 

Hey, this is a follow-up message to your recent visit. If you are facing any complications or require further care, please type YES. – Team ABC 

Announcement 

Hey, in accordance with the Ministry of Health, we are required to conduct a COVID-19 screening of all the patients before their visit. Please submit your vaccination reports along while you visit. – Team XYZ

Requesting feedback 

Hey, we hope you had a good experience with us. We’d love to hear about it. Please leave us a review by clicking on this link: <link> – Team ABC 

Communicating with staff 

Hey team, the meeting scheduled for tomorrow at 4 pm has been postponed to 6 pm. Please acknowledge the message. 

What Information Can You Share?

Here’s what all you can share:

  • Vague appointment reminders/confirmations that only mention the date and time of the appointment
  • Messages that only inform the patients that their test results are ready
  • Text messages that don’t contain the exact details of the patient’s current or past conditions
  • Any messages that don’t include the details of the treatment plans

Here’s what you can’t share:

  • Messages comprising the name, address, contact details of the patient
  • Any information related to their insurance provider, SSN
  • Any specific payment details such as the payment amount or links
  • Any details pertaining to the treatment that the patient is supposed to undergo

Use Cases Of HIPAA-Compliant Texting

Now that you have acquired a comprehensive understanding of HIPAA-Compliant texting, it is time to see how different healthcare providers can use it to their advantage. 

HIPAA-Compliant texting for therapists 

Here’s how Therapists can use HIPAA-Compliant texting: 

  • To send appointment reminders and rescheduling options, thereby effectively managing appointment management processes 
  • To engage in secure communication on sensitive topics, medications, and other therapy-related plans 
  • To offer unwavering support between sessions to ensure better therapeutic outcomes
  • To address and resolve issues in the case of emergencies 
  • To send confidential resources and assignments 
  • To track the progress of client and make changes as required
  • To get billing and insurance-related information
  • To collect patient feedback for continuous improvement in services 
  • To collaborate with other teams for delivering exceptional care 

HIPAA-Compliant texting for dentists/doctors 

Here’s how dental professionals and doctors use HIPAA-Compliant texting: 

  • To send appointment reminders and confirmations 
  • To discuss treatment plans and recommendations with the patients 
  • To send detailed preoperative and postoperative instructions to the patients 
  • To share radiology tests and prescription refill reminders to patients 
  • To offer virtual consultation (telehealth) in the case of emergencies 
  • To track progress and provide follow-up care to the patients 
  • To gather information related to billing and insurance 

HIPAA-compliant texting for veterinarians

Here’s how HIPAA-compliant texting can be used for veterinary-client communication:

  • To send appointment reminder, confirmation, and scheduling messages 
  • To share laboratory text results and other important diagnostic information 
  • To share medication prescription information and related information
  • To provide instructions for pre and post-surgical care 
  • To offer remote consultations in case a physical visit isn’t possible 
  • To offer behavioural support to the pet parents 
  • To share medical records and vaccination history 
  • To provide end-of-life care to the pet parents 
  • To request feedback 
  • To offer support during emergencies 

Best Practices To Ensure HIPAA-Compliant Texting

Get the explicit consent of patients 

Before you start engaging with your patients through text messages, you must have the written consent of the patient.  

For instance, if you wish to gather feedback from your patient or send out a survey to them, let them have the option to opt-in or opt-out of such communications.  

Limit information sharing 

By limiting information sharing on texts, you can reduce the risk of PHI falling into the wrong hands. Texting messages for the following purposes poses no risks –  

  • Appointment booking 
  • Appointment reminders
  • Registration guidelines
  • Test result notification
  • Routine healthcare guidelines
  • Pre and post-operation directives

Actively monitor activity 

HIPAA audit requires the systems to provide timely evidence and record of PHI-sharing activities. HIPAA-compliant text platforms automatically document user management along with authentications and messaging information. Make use of a secure texting platform that can keep a record of all the messages for future audits. 

Set access control 

While sending HIPAA-compliant text messages, you must warn your patients about the risks of unauthorised disclosure of Protected Health Information (PHI).  

On another note, being a responsible healthcare provider, you must also implement access control to limit access exclusively to the authorised users. HIPAA security rule requires the following access control provisions –

  • Exclusive user ID 

The professionals accessing a system with PHI should have unique user IDs with their individual names or numbers. All the platforms including text messaging platforms should be accessed through these unique user IDs to avoid information misuse and data breaches.  

The text messaging must have end-to-end encryption to protect PHI and prevent unauthorised access, especially in case of loss of the device. 

  • Auto log-off 

Platforms working with PHI must have an auto log-off option post inactivity of the user for a particular time duration. This ensures the security of the information and avoids unauthorised data tampering.

  • Have an SOP for emergencies 

Platforms working with PHI must have an auto log-off option post inactivity of the user for a particular time duration. This ensures the security of the information and avoids unauthorised data tampering.

  • Multi-factor authentication

Make sure that the platform makes users confirm their identities before accessing the platform. This means that the users would have to enter more than just a password to access the platform. Such a level of authentication will ensure added security. 

Use authentication procedures 

Patients’ confidential information should always stay in the right hands. To ensure this, implement a multi-factor authentication (MFA) procedure for sending text messages containing PHI. MFA provides another layer of security and keeps the information safe. 

Delete data 

Ensure that you can perform the action of data deletion remotely and safeguard patient information, to avoid chances of unauthorised access.

Sign a BAA 

The third-party vendors working with your healthcare organisation may get access to PHI. These third-party vendors are also known as business associates. Make sure to sign a BAA with your HIPAA-compliant texting provider. 

Let patients know the risk of sharing information via text 

Before engaging in text messaging with your patients, make sure to familiarise them with the risks associated with sharing information via text, such as interception during transit, lost or stolen device, or unauthorized access. 

To combat all these challenges you can use a HIPAA-compliant texting app that offers secure text messaging as an added feature. Check out how Emitrr’s secure texting feature can help keep all conversations secure here: https://emitrr.com/blog/secure-text-messaging/ 

Keep the conversation history  

Let’s say one of your patients was due for an annual checkup for a chronic condition and you sent them a reminder for the same. For some reason, your patient didn’t pay attention to the reminder and decided not to visit you. 

After some time, their health deteriorated as a result of negligence and they filed a case against you claiming that you didn’t send them the notification for the due checkup. That is when you can pull out the conversation history of this patient and save yourself. Make sure to document such conversations in case an audit takes place. 

Train your employees

Just as important as it is to familiarise your patients for secure PHI sharing, it is also crucial to train your employees accordingly to avoid any HIPAA violation. 

Tell your employees about the HIPAA rules in detail and help them understand how messaging can be made HIPAA-compliant. This way you’ll be able to ensure end-to-end compliance and avoid any penalties or legal action. 

Use a HIPAA-compliant texting app 

To efficiently follow the aforementioned best practices for secure PHI sharing, having a HIPAA-compliant texting app is the best investment you can make. 

Use a HIPAA-compliant texting app that offers advanced texting capabilities, and user and access control, is HIPAA, HITECH, and TCPA compliant, and offers real-time alerts, great support, message lifespan, and interoperability as some key features.

Compare the top 15 HIPAA-Compliant Apps in 2023 here:

Alternative 

Price Range 

Value for money 

Features

Ease of use

Support

Emitrr

$30-$299

4.9/5.0

14/14

4.8/5.0

5.0/5.0

Weave

$399+ $750 setup fee+ $100 for reviews

3.9/5.0

11/14

4.3/5.0

3.5/5.0

Klara

$250

4.2/5.0

10/14

4.5/5.0

4.3/5.0

Nex 

Health

$350

5.0/5.0

08/14

4.8/5.0

4.8/5.0

Solution

Reach

$299+$399 setup fee + $100 for reviews

3.6/5.0

10/14

4.0/5.0

3.6/5.0

Patient

Pop

$700-$900

3.8/5.0

09/14

4.2/5.0

4.0/5.0

Revenue

Well

$339

4.4/5.0

08/14

4.7/5.0

4.7/5.0

Rocket Chat 

Starts at $35 per month 

4.5/5.0

09/14

4.3/5.0

4.1/5.0

OhMD 

Starts at $200 per month 

4.5/5.0

08/14

NA

NA

Tiger

Connect 

NA*

4.5/5.0

09/14

4.8/5.0

4.5/5.0

Message

Desk 

$14-$129 per user per month 

4.8/5.0

07/14

4.7/5.0

5.0/5.0

Textline

$59 – $249

4.7/5.0

09/14

4.8/5.0

5.0/5.0

Simple

Texting

$29 per month for 500 messages

4.5/5.0

10/14

4.7/5.0

4.8/5.0

Luma

Health

NA* 

4.5/5.0

11/14

4.7/5.0

4.7/5.0

Provider

Tech

NA*

4.5/5.0

10/14

NA

NA

 

For a detailed analysis, check this out: https://emitrr.com/blog/hipaa-compliant-texting-app/  

How to choose the right HIPAA-compliant texting app?

After understanding how compliance makes a huge difference in the healthcare industry, it is vital to assess the right application for your organisation. By now, we do know that the application should be compliant but other than that, there are some key features to be considered too. 

Here’s a list of features that might help you in making the right choice:

  • Real-time encryption
  • Ability to communicate from multiple devices
  • Provision of enterprise web access
  • Remote data deletion
  • Access controls
  • Activity tracking 

These features not just guarantee the protection of PHI, but also enhance overall productivity and help healthcare providers to focus on patient care.

Choosing the right application benefits the organisation and raises the standards of healthcare, by improving overall patient experience. 

HIPAA key features

Frequently Asked Questions

Can I share PHI with my colleagues?

Answer 

If you’re using a HIPAA-compliant texting app, then you can use it for both internal as well as external communication. Internally, you can share PHI with your colleagues. However, make sure to send only the most relevant information to your colleagues.  

Can I share PHI with the family members of the patient?

Answer 

Yes, you can share PHI with the family members of the patient. However, you need to first take the patient’s consent, verify the identity of the patient, use secure communication channels, share limited information, use general identifiers, maintain a record of the communication, and most importantly follow the HIPAA guidelines. 

If I delete a text message immediately after sending it, would that still count as a HIPAA violation?

Answer 

If you’re using a HIPAA-compliant app, then there won’t be any violation. However, if you’re not using any secure application, then there could be a violation because the message will get stored on the service providers indefinitely. This poses a risk of individually identifiable health information getting exposed. 

Can I share PHI with my staff members if I use a secure texting app?

Answer 

Yes, you can share PHI with your staff members if you’re using a secure texting app. However, make sure to send only limited information and get the consent of the patient before sharing any information. 

Conclusion

Doctor-patient relationships are built on the foundation of trust and hence it is important for you as a professional to strengthen that trust. This includes keeping sensitive PHI secure and protected from any malicious access or intent. In a world where data is supreme, there are obstacles in the form of breaches that follow; and to keep such breaches at bay, you must take all the possible measures to keep PHI safe and secure.

HIPAA-compliant texting is the way forward if you want to offer the best possible care to your patients, while also ensuring that their PHI doesn’t get into the hands of unauthorised individuals. Invest in a HIPAA-compliant texting app like Emitrr to enhance patient engagement and experience. Book a demo to see what Emitrr has in store for you – https://emitrr.com/schedule/ 

Leave a Reply

Your email address will not be published. Required fields are marked *