Table of Contents:
- What does it mean to be HIPAA-Compliant?
- Why should you care about HIPAA Compliance?
- What happens when you don’t meet HIPAA compliance?
- Examples of HIPAA-compliant vs NON-HIPAA-COMPLIANT Text messages
- Templates for HIPAA-Compliant Texting
- What information can you share?
- Use cases of HIPAA-Compliant texting
- Best practices to ensure HIPAA-Compliant texting
- Frequently Asked Questions
Communication in healthcare has witnessed quite an evolution over the years, with texting becoming the most preferred mode of communication for patients and providers alike. Texting is convenient, affordable, has better reach, and is immediate; which is why it is the first choice for 95% of Americans. While texting does have its share of benefits, it also brings along some challenges pertaining to sharing, disclosing, and protecting information. While dealing with sensitive patient information, providers need to be extra careful, to ensure that they do not violate the HIPAA guidelines.
Due to the digitally inclined systems and processes, HIPAA-compliant texting has become the need of the hour for all healthcare professionals and organisations. Protecting the rights of the patients and safeguarding their personal information is as important as delivering exceptional care. Any negligence on that front not just attracts legal troubles but also breaks the trust between you and your patients.
In this article, we will talk about everything you need to know about HIPAA-compliant texting, including its importance, use cases, rules, and best practices.
What Does It Mean To Be HIPAA Compliant?
The term HIPAA stands for Health Insurance Portability and Accountability Act of 1996. This act outlines the federal rules and regulations pertaining to the way organisations must use and disclose Protected Health Information.
These HIPAA standards are regulated by the Department of Health and Human Services and enforced by the Office for Civil Rights (OCR).
To be HIPAA compliant means that both Covered Entities and Business Associates must adhere to the HIPAA guidelines; particularly the administrative, technical, and physical safeguards.
HIPAA Rules: A brief overview
HIPAA outlines three rules related to PHI:
#1: The HIPAA Privacy Rule: This rule establishes standards for protecting the patient’s sensitive health information. It requires the implementation of appropriate safeguards and conditions for the use and disclosure of PHI (For example: Getting explicit patient consent). It also outlines the patients’ rights to review their health records and suggest corrections, if any.
#2: The HIPAA Security Rule: This rule outlines the national standards for protecting the patient’s ePHI that is obtained and used by a Covered Entity. It sets comprehensive and scalable standards for safeguarding ePHI which are as follows:
- Administrative safeguards: Developing policies and procedures for security standards, training, access management, and contingency plans.
- Technical safeguards: Automated processes such as audit controls, access control, authentication controls, and encryption/decryption to protect ePHI.
- Physical safeguards: Having mechanisms in place to protect electronic systems, equipment, and buildings, from any threats.
#3: The Breach Notification Rule: This rule requires that both Covered Entities and Business Associates send notifications as a result of a breach of PHI. It could be any unauthorised acquisition, use, or disclosure of PHI.
Who needs to be covered under HIPAA?
There are two parties involved in HIPAA: the Covered Entities and Business Associates. Before we move any further, let’s understand what each of these terms means.
Covered Entity (CE): A covered entity is any party that is involved in electronically transmitting health information of patients for transactional purposes such as insurance coverage and billing services. A covered entity could be a person, an institution, or an organisation. Here are some examples of covered entities:
- Healthcare providers
- Healthcare organisations
- Healthcare clearinghouses
- Health insurance companies
Business Associate (BA): A Business Associate is a person or an entity who manages the transmission and disclosure of PHI or ePHI on behalf of the covered entity, in compliance with the HIPAA rules and regulations. A HIPAA-Compliant texting app like Emitrr is an example of a Business Associate.
For the safe transmission of ePHI between the CE and the BA, both parties need to sign a Business Associate Agreement (BAA) that outlines the responsibilities of each party with respect to handling PHI.
HIPAA requires that Covered Entities only work with Business Associates to ensure the protection of health information. Here is an example of a BAA: https://www.hhs.gov/sites/default/files/model-business-associate-agreement.pdf
Why Should You Care About HIPAA Compliance?
Before we talk about compliance, let’s first address the importance of texting as a communication medium.
Sending out text messages is a common practice among healthcare providers. It enables continuous connectivity and engagement between healthcare providers and their patients.
The growing preferences of customers have made businesses (healthcare providers and practices in particular) rise to the occasion and curate communication and engagement strategies around text messaging.
They’ve implemented text messaging into their strategies and have seen the following results:
- More effective doctor-patient communication
- Lesser no-shows and cancellations
- Reduced costs
- High open rate and response rate
- Lesser call volume
- Improved patient engagement and experience rates
- Better patient outcomes
- More connected at every step of the patient journey
Right from booking appointments to accessing records, from sending medication reminders to making payments, texting has become a preferred and convenient form of communication.
A major reason for this shift can be attributed to the Coronavirus pandemic, which led to 80% more text conversations than before, thereby leading to more focus on patient-centred care.
While an average phone call lasted about 8 minutes, a text message could be sent within seconds. In the race of texting vs calling, texting wins.
Though there were other forms of communication, such as patient portals, EHRs, and emails; text messages were still preferred because of their speed, ease of use, and simplicity.
Here’s a comparison between texting and other forms of communication such as calling, patient portals, and emails, to help you understand why texting is outshines the rest:
Text messaging platforms vs patient portals
Text messaging platforms vs phones
Text messaging platforms vs emails
What Happens When You Don’t Meet HIPAA Compliance?
Now that you know what messages are considered as compliant and non-HIPAA compliant, you can easily ensure that the texts you send don’t violate the HIPAA guidelines. If they do, you’d be under the radar of HHS and will be fined depending on the degree of non-compliance. As per the HIPAA Journal, there are four penalty tiers that define the level of violation and associated penalties. Here’s a glimpse of the same:
Did you know?
In the year 2019, American Medical Collection Agency (AMCA) failed to comply with HIPAA regulations and couldn’t protect the sensitive healthcare information of its patients. The deficiencies in information security led to a data breach, which exposed the personal health information of about 20 million individuals. The breach invited an extensive investigation and made the organisation liable for $21 million as a penalty.
To keep a safe distance from the penalties due to non-compliance, you need to enforce HIPAA texting. As a healthcare provider, it is your duty to protect sensitive PHI from any unauthorised access and implement the required safeguards to keep it secure.
If you don’t keep the data secure, if you don’t safeguard sensitive patient information, you’re making that information subject to a data breach. We all know what happens in the case of a data breach and what are the consequences that follow.
Examples Of HIPAA-Compliant vs NON-HIPAA-Compliant Text Messages
Here’s a table that differentiates messages that are categorised as HIPAA compliant and NON HIPAA complaint:
The messages in the first column are not HIPAA compliant due to the following reasons:
- All messages contain the first names of the patients
- The reminder message includes the exact name of the treatment that the patient is set to undertake, which is not necessary
- The message for the test results is okay but it also includes the link for the patient to access the results. Such sensitive information shouldn’t be accessible by a link sent via text
- The insurance information is being asked via text, which makes it non-HIPAA-compliant
- The review request also contains the name of the patient, which is not necessary
Templates For HIPAA-Compliant Texting
Here are some ready to use templates for you to seamlessly communicate with your patients.
Hey, this is a gentle reminder for your appointment with Dr. Ryan which is scheduled for tomorrow 2 pm. Please reach 15 minutes prior to your appointment. Please reply C to cancel your appointment. – Team ABC
Hey, you have an appointment scheduled for 26th March, 2023 with Dr. Josh at 2 pm. Please type C to confirm and R to schedule the appointment. – Team XYZ
Prescription refill reminder
Hey, this is a reminder that your medication is due for a refill. Please contact the front desk for the same. – Team ABC
Hey, this is a reminder that your payment is due. Please contact the office for the same. – Team XYZ
Informing about test results
Hey, your test results are ready! Please click on this secure link to view them. – Team ABC
Asking insurance information
Hey, we need your insurance details. Please login to your patient portal and update the same. – Team XYZ
Hey, you are due for an annual health checkup in two weeks. Please reply to this message if you wish to schedule an appointment. – Team ABC
Filling out an online form
Hey, before we proceed with the diagnosis and treatment, we’d like you to fill out an online patient intake form to understand your health condition and provide the best possible care. Please click on this link to access the form: <link>. – Team XYZ
Hey, this is a follow-up message to your recent visit. If you are facing any complications or require further care, please type YES. – Team ABC
Hey, in accordance with the Ministry of Health, we are required to conduct a COVID-19 screening of all the patients before their visit. Please submit your vaccination reports along while you visit. – Team XYZ
Hey, we hope you had a good experience with us. We’d love to hear about it. Please leave us a review by clicking on this link: <link> – Team ABC
Communicating with staff
Hey team, the meeting scheduled for tomorrow at 4 pm has been postponed to 6 pm. Please acknowledge the message.
What Information Can You Share?
Here’s what all you can share:
- Vague appointment reminders/confirmations that only mention the date and time of the appointment
- Messages that only inform the patients that their test results are ready
- Text messages that don’t contain the exact details of the patient’s current or past conditions
- Any messages that don’t include the details of the treatment plans
Here’s what you can’t share:
- Messages comprising the name, address, contact details of the patient
- Any information related to their insurance provider, SSN
- Any specific payment details such as the payment amount or links
- Any details pertaining to the treatment that the patient is supposed to undergo
Use Cases Of HIPAA-Compliant Texting
Now that you have acquired a comprehensive understanding of HIPAA-Compliant texting, it is time to see how different healthcare providers can use it to their advantage.
HIPAA-Compliant texting for therapists
Here’s how Therapists can use HIPAA-Compliant texting:
- To send appointment reminders and rescheduling options, thereby effectively managing appointment management processes
- To engage in secure communication on sensitive topics, medications, and other therapy-related plans
- To offer unwavering support between sessions to ensure better therapeutic outcomes
- To address and resolve issues in the case of emergencies
- To send confidential resources and assignments
- To track the progress of client and make changes as required
- To get billing and insurance-related information
- To collect patient feedback for continuous improvement in services
- To collaborate with other teams for delivering exceptional care
HIPAA-Compliant texting for dentists/doctors
Here’s how dental professionals and doctors use HIPAA-Compliant texting:
- To send appointment reminders and confirmations
- To discuss treatment plans and recommendations with the patients
- To send detailed preoperative and postoperative instructions to the patients
- To share radiology tests and prescription refill reminders to patients
- To offer virtual consultation (telehealth) in the case of emergencies
- To track progress and provide follow-up care to the patients
- To gather information related to billing and insurance
HIPAA-compliant texting for veterinarians
Here’s how HIPAA-compliant texting can be used for veterinary-client communication:
- To send appointment reminder, confirmation, and scheduling messages
- To share laboratory text results and other important diagnostic information
- To share medication prescription information and related information
- To provide instructions for pre and post-surgical care
- To offer remote consultations in case a physical visit isn’t possible
- To offer behavioural support to the pet parents
- To share medical records and vaccination history
- To provide end-of-life care to the pet parents
- To request feedback
- To offer support during emergencies
Best Practices To Ensure HIPAA-Compliant Texting
Get the explicit consent of patients
Before you start engaging with your patients through text messages, you must have the written consent of the patient.
For instance, if you wish to gather feedback from your patient or send out a survey to them, let them have the option to opt-in or opt-out of such communications.
Limit information sharing
By limiting information sharing on texts, you can reduce the risk of PHI falling into the wrong hands. Texting messages for the following purposes poses no risks –
- Appointment booking
- Appointment reminders
- Registration guidelines
- Test result notification
- Routine healthcare guidelines
- Pre and post-operation directives
Actively monitor activity
HIPAA audit requires the systems to provide timely evidence and record of PHI-sharing activities. HIPAA-compliant text platforms automatically document user management along with authentications and messaging information. Make use of a secure texting platform that can keep a record of all the messages for future audits.
Set access control
While sending HIPAA-compliant text messages, you must warn your patients about the risks of unauthorised disclosure of Protected Health Information (PHI).
On another note, being a responsible healthcare provider, you must also implement access control to limit access exclusively to the authorised users. HIPAA security rule requires the following access control provisions –
Exclusive user ID
The professionals accessing a system with PHI should have unique user IDs with their individual names or numbers. All the platforms including text messaging platforms should be accessed through these unique user IDs to avoid information misuse and data breaches.
The text messaging must have end-to-end encryption to protect PHI and prevent unauthorised access, especially in case of loss of the device.
Platforms working with PHI must have an auto log-off option post inactivity of the user for a particular time duration. This ensures the security of the information and avoids unauthorised data tampering.
Have an SOP for emergencies
Platforms working with PHI must have an auto log-off option post inactivity of the user for a particular time duration. This ensures the security of the information and avoids unauthorised data tampering.
Make sure that the platform makes users confirm their identities before accessing the platform. This means that the users would have to enter more than just a password to access the platform. Such a level of authentication will ensure added security.
Use authentication procedures
Patients’ confidential information should always stay in the right hands. To ensure this, implement a multi-factor authentication (MFA) procedure for sending text messages containing PHI. MFA provides another layer of security and keeps the information safe.
Ensure that you can perform the action of data deletion remotely and safeguard patient information, to avoid chances of unauthorised access..
Sign a BAA
The third-party vendors working with your healthcare organisation may get access to PHI. These third-party vendors are also known as business associates. Make sure to sign a BAA with your HIPAA-compliant texting provider.
Let patients know the risk of sharing information via text
Before engaging in text messaging with your patients, make sure to familiarise them with the risks associated with sharing information via text, such as interception during transit, lost or stolen device, or unauthorized access.
To combat all these challenges you can use a HIPAA-compliant texting app that offers secure text messaging as an added feature. Check out how Emitrr’s secure texting feature can help keep all conversations secure here: https://emitrr.com/blog/secure-text-messaging/
Keep the conversation history
Let’s say one of your patients was due for an annual checkup for a chronic condition and you sent them a reminder for the same. For some reason, your patient didn’t pay attention to the reminder and decided not to visit you.
After some time, their health deteriorated as a result of negligence and they filed a case against you claiming that you didn’t send them the notification for the due checkup. That is when you can pull out the conversation history of this patient and save yourself. Make sure to document such conversations in case an audit takes place.
Train your employees
Just as important as it is to familiarise your patients for secure PHI sharing, it is also crucial to train your employees accordingly to avoid any HIPAA violation.
Tell your employees about the HIPAA rules in detail and help them understand how messaging can be made HIPAA-compliant. This way you’ll be able to ensure end-to-end compliance and avoid any penalties or legal action.
Use a HIPAA-compliant texting app
To efficiently follow the aforementioned best practices for secure PHI sharing, having a HIPAA-compliant texting app is the best investment you can make.
Use a HIPAA-compliant texting app that offers advanced texting capabilities, and user and access control, is HIPAA, HITECH, and TCPA compliant, and offers real-time alerts, great support, message lifespan, and interoperability as some key features.
Compare the top 15 HIPAA-Compliant Apps in 2023 here:
For a detailed analysis, check this out: https://emitrr.com/blog/hipaa-compliant-texting-app/
How to choose the right HIPAA-compliant texting app?
After understanding how compliance makes a huge difference in the healthcare industry, it is vital to assess the right application for your organisation. By now, we do know that the application should be compliant but other than that, there are some key features to be considered too.
Here’s a list of features that might help you in making the right choice:
- Real-time encryption
- Ability to communicate from multiple devices
- Provision of enterprise web access
- Remote data deletion
- Access controls
- Activity tracking
These features not just guarantee the protection of PHI, but also enhance overall productivity and help healthcare providers to focus on patient care.
Choosing the right application benefits the organisation and raises the standards of healthcare, by improving overall patient experience.
Frequently Asked Questions
Can I share PHI with my colleagues?
If you’re using a HIPAA-compliant texting app, then you can use it for both internal as well as external communication. Internally, you can share PHI with your colleagues. However, make sure to send only the most relevant information to your colleagues.
Can I share PHI with the family members of the patient?
Yes, you can share PHI with the family members of the patient. However, you need to first take the patient’s consent, verify the identity of the patient, use secure communication channels, share limited information, use general identifiers, maintain a record of the communication, and most importantly follow the HIPAA guidelines.
If I delete a text message immediately after sending it, would that still count as a HIPAA violation?
If you’re using a HIPAA-compliant app, then there won’t be any violation. However, if you’re not using any secure application, then there could be a violation because the message will get stored on the service providers indefinitely. This poses a risk of individually identifiable health information getting exposed.
Can I share PHI with my staff members if I use a secure texting app?
Yes, you can share PHI with your staff members if you’re using a secure texting app. However, make sure to send only limited information and get the consent of the patient before sharing any information.
Doctor-patient relationships are built on the foundation of trust and hence it is important for you as a professional to strengthen that trust. This includes keeping sensitive PHI secure and protected from any malicious access or intent. In a world where data is supreme, there are obstacles in the form of breaches that follow; and to keep such breaches at bay, you must take all the possible measures to keep PHI safe and secure.
HIPAA-compliant texting is the way forward if you want to offer the best possible care to your patients, while also ensuring that their PHI doesn’t get into the hands of unauthorised individuals. Invest in a HIPAA-compliant texting app like Emitrr to enhance patient engagement and experience. Book a demo to see what Emitrr has in store for you – https://emitrr.com/schedule/