HIPAA Compliance: Can I Text My Patients?

With more than 80% of Americans using their phones to text and more than 6 billion text messages sent in the U.S. every day (not a typo), it is entirely unsurprising that patients want to text about at least some aspect of their medical care.1,2,3 Maybe also unsurprisingly, many physicians want to text about medical issues as well, with upward of 90% of doctors in some settings using texting in patient care.4

Despite these overwhelming numbers, many doctors feel that they can’t text about medicine because of HIPAA compliance issues. They worry about compromising their patients’ protected health information (PHI) and exposing themselves to fines and censure. HIPAA, however, is nowhere near an outright ban on texting, and you don’t have to let it stop you from bringing your phone and your practice up to speed with everything else in your life.

Regular Texting That’s HIPAA Compliant? Says Who?

Says the government. Specifically, the U.S. Department of Health & Human Services (HHS), which administers HIPAA, has provided quite specific guidance on using electronic communication methods with your patients.5,6 The guidance language mostly mentions e-mail, but HIPAA regulations do not often reference specific technologies, so the suggestions are typically taken to apply to electronic communication in general.7

Per HHS: “The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so. […] Further, while the Privacy Rule does not prohibit the use of unencrypted e-mail for treatment-related communications between health care providers and patients, other safeguards should be applied to reasonably protect privacy, such as limiting the amount or type of information disclosed through the unencrypted e-mail.”

So Texting Is Always HIPAA Compliant?

Definitely not. Like everything with HIPAA, it is the overall process and system that determines compliance, not any specific technology. Standard, unencrypted texting can meet the demands of HIPAA in some cases but certainly not all the time. Check out our white paper on texting and e-mail under HIPAA for a breakdown of common medical communication scenarios that you are likely to encounter and how you can make them compliant with HIPAA.

If you also want general information on fitting mobile devices into your comprehensive approach to HIPAA, the government has guidance on that subject, too.

Is There Anything I Can Do to Be as HIPAA Compliant as Possible?

Sure! Here is a short list of best practices that will get you on the road to HIPAA compliance with texting:

  1. Find out your patients’ preferences and document their consent.
    HIPAA is big on patients having freedom and control, so pursuing these is always smart. In the HIPAA Omnibus Rule commentary, HHS states, “We clarify that covered entities are permitted to send individuals unencrypted emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email.” In a separate FAQ, they note that “an individual has the right under the Privacy Rule to request and have a covered health care provider communicate with him or her by alternative means or at alternative locations, if reasonable,” so there may actually be an obligation in some cases to use unencrypted texting or email, if your practice can!5,6
  2. Make sure texting and mobile devices in general are considered in your organization’s risk assessment.
    HIPAA compliance is a process not a static thing, and the HIPAA Security Rule is big on organizations performing ongoing “risk analysis” to consider where they contact electronic PHI and how they’re protecting it. Come up with a process, carry it out, and document it. See our HIPAA compliance checklist if you need guidance on this.
  3. Always encrypt what you can
    Standard texting is always going to be somewhat insecure, but you can control your end of things. Products, such as the Spruce Care Messenger, exist that let you send standard text messages to your patients but also encrypt the texts on your end in storage. This lets you keep the texts as an important part of the medical record while protecting them in a HIPAA-compliant way. Many of these products (again, including our Care Messenger) also make the conversation completely secure if the patient downloads the corresponding app. If that’s feasible for you, then it’s far better for HIPAA compliance than using standard, unencrypted texting.

So…I Can Text?

Sometimes. Sometimes you can text patients. You should really read our white paper. It’s short and useful; I promise!

This article is part of a series of posts relating to HIPAA law and regulation. The information provided is meant as general guidance only and is not intended to be legal advice.


References:

  1. Duggan, M. & Pew Research Center. Cell Phone Activities 2013. (Pew Research Center, 2013).
  2. O’Grady, M. SMS Usage Remains Strong In The US: 6 Billion SMS Messages Are Sent Each Day. Forrester Research, Inc.: Michael O’Grady’s Blog (2012). Available at: http://blogs.forrester.com/michael_ogrady/12-06-19-sms_usage_remains_strong_in_the_us_6_billion_sms_messages_are_sent_each_day. (Accessed: 19th August 2016)
  3. Council of Accountable Physician Practices (CAPP), Bipartisan Policy Center (BPC) & Nielsen Strategic Health Perspectives. Better Together: High Tech and High Touch (Consumer Healthcare Survey Results). (2015).
  4. Plant, M. A. & Fish, J. S. Resident use of the Internet, e-mail, and personal electronics in the care of surgical patients. Teach. Learn. Med. 27, 215–223 (2015).
  5. U.S. Department of Health & Human Services. 570-Does HIPAA permit health care providers to use e-mail to discuss with their patients. HHS. gov (2008). at <http://www.hhs.gov/hipaa/for-professionals/faq/570/does-hipaa-permit-health-care-providers-to-use-email-to-discuss-health-issues-with-patients/>
  6. Office for Civil Rights, Department of Health and Human Services. 45 CFR Parts 160 and 164: Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules. Fed. Regist. 78, 5566–5702 (2013).
  7. Stanger, K. C. HIPAA, E-mails, and Texts to Patients or Others. The National Law Review (2015). Available at: http://www.natlawreview.com/article/hipaa-e-mails-and-texts-to-patients-or-others. (Accessed: 19th August 2016)

Related Articles

Dive into this succinct eBook created from our March 13 webinar with TJ Walsh, MA, LPC, NCC, CCTP, a...