What HIPAA Says About Texting Patients

Posted by Team PracticeForces on Aug 22 2016

When the Health Insurance Portability and Accountability Act was made law in 1996, the drafters never considered how future technology would impact the way providers communicate with their patients. As technology evolved, it was necessary for HIPAA to adjust as well.


The New HIPAA Texting Rules

In 2013, more than 80% of providers were using portable technology and that percentage is likely to have increased in the past 3 years. Texting has become one of the most effective and convenient ways to communicate. In response to the changing face of technology, the Final Omnibus Rule of March 2013 introduced the first HIPAA texting policy in order to protect the security of patient information.

Texting is Not Prohibited in the New HIPAA Rules

The rules are specifically designed to focus on security and protecting patient privacy. There is no part of the policy that specifies that text may not be used for appointment reminders, notices, updates from the office, or other communications with the patient. The new HIPAA rules do not specifically mention texting at all.

Adequate Safeguards Must Be In Place to Ensure Privacy

The goal of the new HIPAA guidelines is ensuring that mobile device users have the appropriate security measures in place to protect patient privacy. Specifically, it aims at controlling how the patient information is transmitted, received, and how it is protected on a mobile device. These guidelines include:

  • Mobile device owners that transmit patient information must be safeguarded with passwords.
  • Patient health information should not to be stored in the memory of individual mobile devices.
  • Sensitive patient information transmitted by electronic means should be encrypted, and messages without encryption should be deleted.
  • Measures should be taken for security when on unsecured cellular networks or public Wi-Fi when patient information is being transmitted.  
  • Employees in health care should notify supervisors before disposing or selling of their portable devices to ensure that no private information is lost or stolen.
  • Facilities should have the ability to remotely recall or delete any information sent.
  • A suspected security breach must be reported, and failure to comply or provide appropriate security measures can result in criminal charges, fines, or civil legal action.

Patients Must Provide Express Consent

The protection of your patient’s information is your top concern. Draft your Privacy Policy to specify what information is authorized to be sent via text message, along with what number to use. Verifying the patient’s contact information, telephone number, and continued authorization for text messages at each visit is an excellent way to ensure HIPAA compliance. When a patient changes their phone number or requests the texts to end, honor the request immediately.

The HIPAA regulations regarding technology are focused on providing additional safeguards to protect private patient information. By understanding how the guidelines affect your staff, ensuring technological safeguards are in place, and communicating effectively with your patients, you can safely and conveniently utilize text within HIPAA guidelines.

Request a Consulation

Topics: HIPAA

Subscribe to Email Updates

Recent Posts

Posts by Topic

see all