If you're a healthcare practitioner, you probably need business associate agreements (BAAs) with service providers like email, telehealth, and your...
Is texting HIPAA compliant?
In your healthcare practice you have to make sure that every form of communication is HIPAA compliant. Texting is no exception.
Texting is effective, convenient, inexpensive, and as accessible as picking up a cell phone.
However, in your healthcare practice, you have to make sure that every form of electronic communication is HIPAA compliant. Texting is no exception.
Do you know which one of these texts is OK to send?
Hint: It’s the one on the right, and we’ll explain why later in the post.
Maybe you’ve been afraid to ask yourself if texting is HIPAA compliant because you’re already texting in your practice and don’t want to stop.
Today, we’re going to answer that question. But don’t worry…
We’re not going to leave you stranded back in the communication dark ages.
We’ll make sure you’re HIPAA compliant, avoiding expensive fines, and still enjoying the convenience of texting.
Is texting HIPAA compliant?
First, what do we mean by texting?
There is SMS (short message texting), which takes place using mobile devices over a cellular network.
Then there’s in-app messaging. This can look a lot like SMS. WhatsApp is a popular messaging app that allows messages to be sent back and forth as long as the app is used. iMessage is a little of both. The app is used by default between two iPhones, but SMS kicks in if someone doesn’t have the app.
When we refer to “texting” in this article, we’re talking about both SMS and in-app messaging.
So is texting HIPAA compliant?
If you’re texting the way you do outside of the workplace, then no, it’s not.
Let’s take a look at some of these safeguards:
Not sure what a BAA is?
Read more about BAAs in our blog post Do you need a Business Associate Agreement?
Regular texting, including both SMS and in-app messaging, doesn’t provide all the safeguards listed above. Therefore, they aren’t considered HIPAA compliant.
However, you don’t have to stop texting completely. Keep reading to find out how you can make texting work for your practice.
Can you afford not to text?
Two often-cited statistics about text messaging are that 99 percent of them are read and 90 percent of them are read within the first three minutes of being received.
Texting is fast and efficient, giving you information (e.g., a confirmation or cancellation) that can save time and money for your practice.
But if you’re not HIPAA compliant, texting could lead to expensive fines.
Can you afford the cost of a HIPAA violation?
Texting might save you time and money by preventing no-shows and helping your practice run smoothly. But we’ve already established that regular texting isn’t HIPAA compliant. So let’s look at what happens when you use it anyway.
Here are the fines you could end up paying if you’re not following the HIPAA rules. If it’s decided that you knew texting wasn’t HIPAA compliant but used it anyway (without any precautions, which we’ll get to in a minute), you’d probably fall into category 3. With a minimum fine of $12,794 per violation.
You weren’t aware of the rule and couldn’t have realistically avoided the violation
Minimum fine of $127 per violation up to $30,4871
You should have been aware of the rule but didn’t ignore your responsibilities on purpose
Minimum fine of $1,280 per violation up to $60,973
You ignored your responsibilities but have attempted to correct the violation
Minimum fine of $12,794 per violation up to $60,973
You ignored your responsibilities and haven’t attempted to correct the violation
Minimum fine of $60,973 per violation up to $1,919,173
1 OCR can choose to waive a financial penalty for cases where the practitioner could not have been expected to avoid a data breach. The above penalty amounts are estimates. Amounts are adjusted each year for inflation.
You might decide that the fine is more money than you’d save from fewer no-shows.
How to text and still be HIPAA compliant
Is compliant texting possible? After all, that 90 percent read rate within 3 minutes is hard to beat.
Yes, you can. Here’s what you need to do:
1. When you bring on a new client, during the intake process, talk to them about how they’d like to communicate. Provide your client with a statement of the risks associated with using text messaging. This can be as simple as the following:
Unencrypted text message risk statement
We offer helpful administrative information by regular text messaging, such as appointment reminders. There is some level of risk that information in a regular text message could be read by someone besides you. Please let us know if you would like us to communicate administrative information with you by text message.
- If they still want to communicate via text, have them sign a request for non-secure communication
- Be sure to document both the statement of risks and the request
Would you like a request for non-secure communication form you can use in your practice? Submit your information below and you can start using it with your clients today.
2. Then, find a HIPAA-compliant text messaging app to use instead of SMS texting or your regular app. By finding a secure application that comes with a BAA, you can relax and not worry so much about sending and receiving health information.
Some of these text messaging apps require that your clients use their app. However, some may be used by your clients without an app. Be sure to do your research to find the one that works best for your practice.
“We like iPlum for secure, HIPAA-compliant messaging,” says Liathana Dalton, director of Person Centered Tech, a company that helps therapists understand tech and security. “They have a free client-facing app, so any messages exchanged through the app are secure. Just make sure you set it up for HIPAA compliance and get a BAA.”
3. Next, think carefully about the information you send. Even though you have a Request for non-secure communication on file and are using a HIPAA-compliant app. If you're secure texting protected health information (PHI), it should still be the bare minimum necessary to get the job done.
Here’s an example of a text message containing PHI that isn’t OK to send, and one that is:
The message on the left contains PHI - a name, date, and the nature of the appointment. You don’t need to send all of it to achieve your goal of confirming the appointment.
The message on the right contains some PHI (name, phone number, and office name), but it’s the bare minimum necessary.
Follow those three steps and you can have peace of mind that you’ve done your best to protect your clients’ information.
Also, keep in mind the following points:
- Only use text messaging to convey the specific information identified in the request form, such as appointment reminders
- Include an option in your text message to opt-out of receiving future messages
- Use text messaging in tandem with a HIPAA-compliant email solution
This last point is the topic of the next section. Read on to learn about how to use texting and secure email together to achieve your compliance and cost-saving goals.
Don’t forget. You can submit your information to receive a free request for non-secure communication form that you can edit to reflect your practice.
Use texting with secure email, so you’re always HIPAA compliant
There’s a clear distinction between what makes a good text message and what is better sent in an email. Text messages are short, to the point, and have a sense of immediacy about them. For the most part, when someone hears a text come in, they’re likely to read it and respond within 5 minutes.
For that reason, consider using texting only when you need a quick reply or action.
|Reminder to schedule a new appointment|
|Appointment cancellation notification|
|Notification that lab test or screening results are available online|
When you’re sending a lengthier message that contains a lot of PHI, that’s where secure email comes in.
Use secure email when you’re:
|Collecting intake forms|
|Sending test or screening results|
|You need to discuss health issues|
|You’re referring your client to another practitioner|
|Transferring any kind of PHI|
Here are a couple of scenarios where texting and email can work together:
You text an appointment reminder to a client. The text also reminds them to fill out emailed intake forms before their appointment.
Your client takes the PHQ-9 screening you sent them over secure email. You send them a text letting them know you emailed them their results.
As a healthcare provider, you want convenience, efficiency, and cost savings for your practice, but you need compliance.
Hushmail for Healthcare is the HIPAA-compliant email and form solution that, when used with secure texting, can help you get the best of all worlds.
Are encrypted messaging apps HIPAA compliant?
Not unless they come with access controls, audit controls, and a BAA.
Is WhatsApp HIPAA compliant?
No. Even though it's encrypted it doesn't come with the access controls, audit controls, and BAA that are necessary for HIPAA compliance.
Can I use my electronic medical record (EMR) to send text messages?
Yes, if your EMR comes with a BAA, which it likely does, and provides access controls and audit controls.
Is a client’s name and phone number PHI?
Yes. When a name and phone number are connected to health information, they’re considered PHI. For that reason, even very simple appointment confirmation messages must be handled with care.
Text your clients and support your HIPAA compliance
Texting is convenient, connects you with your clients, and can save you money by preventing no-shows. With a few considerations, you can use it to communicate in your practice while being HIPAA compliant:
- Send and receive as little PHI possible
- Inform your clients of the risks and have them sign a request for non-secure communication during your intake process
- Use a HIPAA-compliant text messaging app
- Use secure email for longer messages
According to Dalton, another best practice is to provide your client with a communication policy. While not a specific HIPAA requirement, the policy is supportive of good ethical boundaries and lets your client know what to expect when they receive a text from you or send one themselves.
Person Centered Tech provides a sample communications policy you can edit to fit your practice.
If you follow the guidelines above, you can enjoy the convenience and cost savings of texting and still support your HIPAA compliance.
Submit your information below to get your free Request for non-secure communication form.