To Text or Not To Text Patients? The Message from HIPAA

Most of the 1.9 trillion texts Americans sent from their smartphones to friends and family last year wouldn’t be secure enough for healthcare settings. It’s unfortunate, because texting is a quick, easy and effective way to communicate.

It’s probably also no surprise that texting is the most popular smartphone feature, according to a 2015 Pew Research Center survey,  and 97% of Americans use their phones to text.

But like most other things, different rules apply in the healthcare world.

The HIPAA/HITECH privacy and security rules cover any communication with electronic protected health information (ePHI), including e-mail, social media and text messages. In an actual case, providers at a nursing facility requested nurses text them patient information. Even without evidence that an unauthorized person saw the messages, CMS intervened with a 10-point remediation plan to retrain staff, appoint a HIPAA security officer and revise their HIPAA policies and procedures.

Remember that texting leaves a record, unlike telephone calls. Plus it’s easier to know you’re reaching the correct person on the phone. The risk of texting sensitive patient information to another person is not zero – in public surveys, about one-third of people say they’ve mistakenly sent a text to the wrong person.

In addition, HIPAA/HITECH privacy violations can carry hefty fines, up to $50,000. So avoiding the temptation to text a colleague for a quick patient consult could save you money as well.

HIPAA Compliant Texting

Even so, the Joint Commission did not rule out all texting, according to Andrew A. Brooks, MD, orthopaedic surgeon and Chief Medical Officer at Tigertext, a secure mobile messaging firm.  In a piece for the American Academy of Orthopaedic Surgeons, Dr. Brooks points out that minimum requirements for HIPAA compliance include:

Secure data centers—Onsite or offsite (cloud) data centers must use a high level of physical security and policies to review controls and conduct ongoing risk assessments.
Encryption—ePHI is encrypted both in transit and at rest.
Recipient authentication—Confirmation that any communication containing ePHI only goes to its intended recipient.
Audit controls—The ability to create and record an audit trail of all activity, including text messages containing ePHI.

The sheer volume of text messages indicates an overall preference for this form of communication. The 1.92 trillion texts last year is almost double the 1 trillion sent in 2008, so who knows how many texts Americans will send going forward.

Texting Appointment and Wellness Reminders

Your practice may already send patients text reminders for upcoming appointments. There’s evidence this strategy can reduce your patient no-show rate. HIPAA rules generally do not apply to communications without ePHI.

Text reminders also seem to help patients with medication, healthcare and lifestyle reminders. As examples, researchers show chronic disease text messaging can help patients manage their diabetes, remind African-Americans with high blood pressure to take their medication, and help people increase their exercise and physical activity levels, although some say more research on best practices is needed.

Healthcare vendors offer apps that promise secure texting and would allow physicians and medical professionals to communicate within a HIPAA-compliant platform. Verify information complies with HIPAA because government agencies do not vet many of these apps. Also, if you chose to use a third-party secure texting platform, keep in mind the three requirements for securing PHI: confidentiality, integrity, and availability. Any platform chosen must satisfy all three elements, according to Mellette PC Healthcare Provider Attorneys in Virginia.

Another option, now that more than 80% of physicians use electronic health record systems, is to communicate with patients by sending e-mails through a secure patient portal. As you probably know, secure portals can help eligible providers meet Meaningful Use.

Whatever strategy you use, remind your staff to never transfer ePHI through non-secure methods of communication. And while we congratulate you on moving to the world of quick and convenient electronic communication with patients, here at Power Your Practice we also don’t want to see you financially penalized.