20 time-saving tips
Download 20 quick tips to help you spend less time on admin and more time helping your clients!

Practice management

Is texting HIPAA compliant?

In your healthcare practice you have to make sure that every form of communication is HIPAA compliant. Texting is no exception.


Texting is effective, convenient, inexpensive, and as accessible as picking up a cell phone. 

However, in your healthcare practice, you have to make sure that every form of electronic communication is HIPAA compliant. Texting is no exception.

Do you know which one of these texts is OK to send?

Text message example 1 Text message example 2

Hint: It’s the one on the right, and we’ll explain why later in the post. 

Maybe you’ve been afraid to ask yourself if texting is HIPAA compliant because you’re already texting in your practice and don’t want to stop.

Today, we’re going to answer that question. But don’t worry…

We’re not going to leave you stranded back in the communication dark ages. 

We’ll make sure you’re HIPAA compliant, avoiding expensive fines, and still enjoying the convenience of texting.

Is texting HIPAA compliant?

First, what do we mean by texting? 

There is SMS (short message texting), which takes place using mobile devices over a cellular network. 

Then there’s in-app messaging. This can look a lot like SMS. WhatsApp is a popular messaging app that allows messages to be sent back and forth as long as the app is used. iMessage is a little of both. The app is used by default between two iPhones, but SMS kicks in if someone doesn’t have the app. 

When we refer to “texting” in this article, we’re talking about both SMS and in-app messaging.

So is texting HIPAA compliant? 

If you’re texting the way you do outside of the workplace, then no, it’s not. 

“HIPAA requires you to put ‘reasonable safeguards’ in place to protect your client or patient information. Regular texting doesn’t provide these safeguards.”

Steve Youngman, Vice President of Legal, Hushmail 

Let’s take a look at some of these safeguards: 

Infographic HIPAA compliance safeguards

Not sure what a BAA is? 

Read more about BAAs in our blog post Do you need a Business Associate Agreement? 

Regular texting, including both SMS and in-app messaging, doesn’t provide all the safeguards listed above. Therefore, they aren’t considered HIPAA compliant. 

However, you don’t have to stop texting completely. Keep reading to find out how you can make texting work for your practice.

Can you afford not to text?

Two often-cited statistics about text messaging are that 99 percent of them are read and 90 percent of them are read within the first three minutes of being received. 

Texting is fast and efficient, giving you information (e.g., a confirmation or cancellation) that can save time and money for your practice. 

But if you’re not HIPAA compliant, texting could lead to expensive fines. 

Can you afford the cost of a HIPAA violation?

Texting might save you time and money by preventing no-shows and helping your practice run smoothly. But we’ve already established that regular texting isn’t HIPAA compliant. So let’s look at what happens when you use it anyway.

Here are the fines you could end up paying if you’re not following the HIPAA rules. If it’s decided that you knew texting wasn’t HIPAA compliant but used it anyway (without any precautions, which we’ll get to in a minute), you’d probably fall into category 3. With a minimum fine of $12,794 per violation.

 

Description

Fine

1

You weren’t aware of the rule and couldn’t have realistically avoided the violation

Minimum fine of $127 per violation up to $30,4871

2

You should have been aware of the rule but didn’t ignore your responsibilities on purpose

Minimum fine of $1,280 per violation up to $60,973

3

You ignored your responsibilities but have attempted to correct the violation

Minimum fine of $12,794 per violation up to $60,973

4

You ignored your responsibilities and haven’t attempted to correct the violation

Minimum fine of $60,973 per violation up to $1,919,173

1 OCR can choose to waive a financial penalty for cases where the practitioner could not have been expected to avoid a data breach. The above penalty amounts are estimates. Amounts are adjusted each year for inflation.

Yikes! 

You might decide that the fine is more money than you’d save from fewer no-shows.

How to text and still be HIPAA compliant

Is compliant texting possible? After all, that 90 percent read rate within 3 minutes is hard to beat. 

Yes, you can. Here’s what you need to do:

1. When you bring on a new client, during the intake process, talk to them about how they’d like to communicate. Provide your client with a statement of the risks associated with using text messaging. This can be as simple as the following:

Unencrypted text message risk statement

We offer helpful administrative information by regular text messaging, such as appointment reminders. There is some level of risk that information in a regular text message could be read by someone besides you. Please let us know if you would like us to communicate administrative information with you by text message.

  • If they still want to communicate via text, have them sign a request for non-secure communication 
  • Be sure to document both the statement of risks and the request

Would you like a request for non-secure communication form you can use in your practice? Submit your information below and you can start using it with your clients today. 

05_Form thumbnail_Is texting

2. Then, find a HIPAA-compliant text messaging app to use instead of SMS texting or your regular app. By finding a secure application that comes with a BAA, you can relax and not worry so much about sending and receiving health information.

Some of these text messaging apps require that your clients use their app. However, some may be used by your clients without an app. Be sure to do your research to find the one that works best for your practice. 

“We like iPlum for secure, HIPAA-compliant messaging,” says Liathana Dalton, director of Person Centered Tech, a company that helps therapists understand tech and security. “They have a free client-facing app, so any messages exchanged through the app are secure. Just make sure you set it up for HIPAA compliance and get a BAA.”

3. Next, think carefully about the information you send. Even though you have a Request for non-secure communication on file and are using a HIPAA-compliant app. If you're secure texting protected health information (PHI), it should still be the bare minimum necessary to get the job done. 

“There’s a great deal of confusion surrounding what constitutes PHI. PHI is individually identifiable information plus health info – where health info is any info about past, present, or future healthcare treatment, diagnosis, or payment for those services.”

Liathana Dalton, Director, Person Centered Tech

03_PHI word cluster_HIPAA-compliant email

Here’s an example of a text message containing PHI that isn’t OK to send, and one that is:

Example of non compliant text Example of compliant text

The message on the left contains PHI - a name, date, and the nature of the appointment. You don’t need to send all of it to achieve your goal of confirming the appointment. 

The message on the right contains some PHI (name, phone number, and office name), but it’s the bare minimum necessary.

Follow those three steps and you can have peace of mind that you’ve done your best to protect your clients’ information. 

Also, keep in mind the following points:

  • Only use text messaging to convey the specific information identified in the request form, such as appointment reminders
  • Include an option in your text message to opt-out of receiving future messages 
  • Use text messaging in tandem with a HIPAA-compliant email solution

This last point is the topic of the next section. Read on to learn about how to use texting and secure email together to achieve your compliance and cost-saving goals.

Don’t forget. You can submit your information to receive a free request for non-secure communication form that you can edit to reflect your practice. 

05_Form thumbnail_Is texting

Use texting with secure email, so you’re always HIPAA compliant

There’s a clear distinction between what makes a good text message and what is better sent in an email. Text messages are short, to the point, and have a sense of immediacy about them. For the most part, when someone hears a text come in, they’re likely to read it and respond within 5 minutes. 

For that reason, consider using texting only when you need a quick reply or action.

Appointment reminder
Reminder to schedule a new appointment 
Appointment confirmation
Appointment cancellation notification
Notification that lab test or screening results are available online 

When you’re sending a lengthier message that contains a lot of PHI, that’s where secure email comes in.

Use secure email when you’re:

Collecting intake forms 
Sending test or screening results
You need to discuss health issues
You’re referring your client to another practitioner
Transferring any kind of PHI

Here are a couple of scenarios where texting and email can work together: 

Scenario 1:

You text an appointment reminder to a client. The text also reminds them to fill out emailed intake forms before their appointment. 

Scenario 2:

Your client takes the PHQ-9 screening you sent them over secure email. You send them a text letting them know you emailed them their results. 

As a healthcare provider, you want convenience, efficiency, and cost savings for your practice, but you need compliance. 

Hushmail for Healthcare is the HIPAA-compliant email and form solution that, when used with secure texting, can help you get the best of all worlds. 

Learn more about Hushmail

FAQ 

Are encrypted messaging apps HIPAA compliant?

Not unless they come with access controls, audit controls, and a BAA.

Is WhatsApp HIPAA compliant?

No. Even though it's encrypted it doesn't come with the access controls, audit controls, and BAA that are necessary for HIPAA compliance.

Can I use my electronic medical record (EMR) to send text messages?

Yes, if your EMR comes with a BAA, which it likely does, and provides access controls and audit controls.

Is a client’s name and phone number PHI?

Yes. When a name and phone number are connected to health information, they’re considered PHI. For that reason, even very simple appointment confirmation messages must be handled with care. 

Text your clients and support your HIPAA compliance

Texting is convenient, connects you with your clients, and can save you money by preventing no-shows. With a few considerations, you can use it to communicate in your practice while being HIPAA compliant:

  • Send and receive as little PHI possible
  • Inform your clients of the risks and have them sign a request for non-secure communication during your intake process
  • Use a HIPAA-compliant text messaging app
  • Use secure email for longer messages

According to Dalton, another best practice is to provide your client with a communication policy. While not a specific HIPAA requirement, the policy is supportive of good ethical boundaries and lets your client know what to expect when they receive a text from you or send one themselves. 

“The parameters around texting should be addressed in a communications policy to establish the content of what will be texted as well as response time frames. This is all important to ensure that you’re on the same page with your clients regarding communication.”

Liathana Dalton, Director, Person Centered Tech

Person Centered Tech provides a sample communications policy you can edit to fit your practice.

Sample communications policy

If you follow the guidelines above, you can enjoy the convenience and cost savings of texting and still support your HIPAA compliance.

Submit your information below to get your free Request for non-secure communication form. 

05_Form thumbnail_Is texting

 


Similar posts