Texting Patients? Don't Make these HIPAA Mistakes

Insecure systems

It can be unsafe to exchange sensitive information from just any device. Avoid communicating with patients on your personal smartphone or on a system where their information isn’t encrypted and can be accessed or intercepted.

Patients don’t want to download a separate app or log into a specific portal to ask questions or get updates — they just want to text you. To text patients securely, you can implement a HIPAA-compliant text messaging platform that maintains government privacy and security standards.

To text patients securely, you can implement a HIPAA-compliant text messaging platform that maintains government privacy and security standards.

A secure channel ensures that information is encrypted at every level, from physician to patient. Without a secure platform, you leave valuable patient information at risk. Apart from encryption, it’s important that your texting solution track the statuses of all messages, clearly identifying the sender and receiver. It also should safely integrate with your current practice management software.

Texting non-opt-ins

Before texting a patient, you need to make sure that they’ve given their consent to being texted by you. Texting patients who haven’t consented to text message communication can be a major violation of HIPAA standards, not to mention other regulations set by the Federal Communications Commission.

So how do you get patients to opt-in? It’s easier than most people think. Start by encouraging inbound traffic. Prompt patients to text you first, which you can do from your website. For example, use an SMS chat on your homepage, or say “Text us at (phone number).”

Another way to get patients to opt-in is to simply ask them. On your web form, include a checkbox that asks if it is OK to use various channels for appointment and care-related communications. Add the same checkbox to any patient paperwork, and you’ll be surprised how quickly your opt-in list grows. Patients also need to be able to opt-out of communications at any time. This holds true for text, but also for any other kind of communication. Most text systems include an opt-out message or function.

Share without consent

Patients want to be able to ask you questions and hold conversations through text, but you need to always ensure that the patients are confirmed and have opted into sharing personal health information (PHI) via text.

Some patients will want texts from you just for scheduling and reminders, and others will want to text with you throughout their care (and after). PHI is sacred, so be sure to ask patients if they’re OK with texting you about their care.

Patients want to be able to ask you questions and hold conversations through text, but you need to always ensure that the patients are confirmed and have opted into sharing personal health information (PHI) via text.

How do you ensure this happens? Start by adding it as a question on patient paperwork. For example: “Would you like us to text you about your care?” As long as patients have opted in to receiving texts about care related to PHI, you’re good to go.

Wrong access

Without a secure platform, valuable PHI can be intercepted by anyone. An unattended mobile device can grant unauthorized employees access to your patient’s data, which can lead to consequences such as insurance fraud or identity theft.

Even a secure system can grant access to the wrong people. Make sure you are only granting access to authorized employees. The “wrong employees” in this situation could be someone working in a different department or under a

Even a secure system can grant access to the wrong people. Make sure you are only granting access to authorized employees.

different provider. For example, Employee X may be working in collections and doesn’t need to see the conversations Patient A had with the provider about their care. Employee X just needs to text about collections.

Part of having a secure system is making sure users have the right permissions and access. It’s important to make sure that the appropriate personnel in your practice have access to those patient conversations. Ensure that only authorized employees are communicating with patients.

Wrong contacts

It can be easy to accidentally send messages to the wrong person when you are using a personal mobile device or even a secure platform, especially when you are in a rush.

Secure system or not, this is never acceptable. By the same token, you wouldn’t want to send an email to the wrong person or leave a voicemail on the wrong line. All of these can result in unauthorized disclosure of PHI to the wrong person, violating HIPAA regulations.

To avoid these mishaps, train your staff well and have appropriate checks and balances in place.

Jessica Ayre is content marketing specialist at Text Request, a HIPAA-compliant business texting solution.