Imagine recovering $4,000 in overdue payments from patients in a single day, just by sending a simple text message. That’s exactly what happened in a Springfield, MO cardiologist’s office when they texted this cryptic message: “We have an issue to speak with you about.” Sure enough, the patients called in, and many paid up.
Weighing Convenience and Compliance
Texting is certainly convenient, and with smartphone devices in almost every pocket, you can be confident that most of your patients will have easy access to your messages. Many practices are already using texts for appointment reminders, billing issues, and medication refills.
Thinking you should jump on the text train? Not so fast. As with any other patient communications, HIPAA privacy and security rules govern text messages. Remaining compliant requires planning and diligence, and many offices quickly find themselves in trouble when messaging policies are vague or even absent.
HIPAA Guidelines for Texting
If your text messages contain protected health information (PHI), they are subject to HIPAA laws. For example, just like physical letters or emails, texts must be retained for the legally required period of time.
Additionally, patients must be able to access and amend the information in the text messages. These requirements raise a number of issues. How and where should you store text data so that patients can access it?
Some practices, reluctant to deal with the hassle of keeping records, choose to simply delete all texts. This is a dangerous habit with potentially severe legal ramifications. In the case of a malpractice lawsuit that hinges on text message evidence, a physician who has not maintained copies of those conversations puts himself in serious jeopardy.
Establish Policies that Minimize Risk
To avoid these kinds of risks, apply the HIPAA security rule to text messaging as part of your comprehensive risk analysis and management strategy. Consider implementing one or more of the following controls for your protection.
1. Prohibit the texting of PHI altogether, and train your staff on the appropriate use of work-related texting.
2. Protect devices that create, receive, or maintain text messages. Implement password protection and encryption, and maintain an inventory of all mobile devices used for practice-related texting. When the device is no longer being used, ensure that all sensitive information is deleted from the hard drive.
3. Treat texts from patients exactly as you would letters or telephone conversations. Ensure that any PHI sent or received via text is noted in the medical record.
Texting with patients could represent a major advance for your practice in terms of your connection with your patients. If you decide that texting is the right move for your practice, mitigate the legal risk with careful planning and documentation.