POSTED January 23, 2024
How Do I Text Without Violating HIPAA?
With the increase in cell phone users, establishing communication between company and client through text has become standard in various industries, even healthcare organizations. However, the health industry has a few more factors to consider when establishing SMS communication for patients to comply with HIPAA regulations. Doctors and customer service representatives in the health industry handle PHI or Protected Health Information regularly. They must manage this information legally and ethically to protect the patient's best interests.
Health industries can still utilize SMS text messaging to optimize patient experience and increase workflow efficiency while remaining HIPAA compliant. If you are considering implementing SMS into your business process to send text appointment reminders to patients, slyText offers various benefits to send MMS and SMS marketing messages efficiently.
When considering using text messaging, the following questions are crucial to consider to remain HIPAA compliant: What is HIPAA? To whom are HIPAA regulations relevant? Is text messaging HIPAA Compliant? What information can you communicate via text? Can slyText be used in the health industry?
What is HIPAA and Why is it Important to Know?
HIPAA, also known as the Health Insurance Portability and Accountability Act of 1996, is a federal law requiring standards to protect patient's health information from being exposed without their knowledge or consent.
The US Department of Health and Human Services, or HHS, issued what is known as the
HIPAA Privacy Rule, which outlines how covered entities such as healthcare providers, health plans, and business associates disclose and use protected health information or PHI.
The HIPAA Security Rule, on the other hand, outlines how protected entities disclose and use electronic PHI, otherwise referred to as e-PHI.
For example, when joining a local primary care office, patients are provided a form to indicate to whom personnel can disclose PHI, such as a spouse or a family member. If a doctor were to discuss a patient's PHI with anyone that the patient has not indicated access to via written consent, that doctor would be violating HIPAA. This is simply one of the many ways personnel are at risk of violating HIPAA regulations.
To Whom Are HIPAA Regulations Relevant?
HIPAA regulations are relevant to any employee who must come into contact with PHI or e-PHI to perform their job. If you are a doctor, dentist, nurse, health care associate, or a patient, HIPAA regulations are relevant to you. Patients have the right to understand how their PHI is being protected and determine who is permitted access to their PHI. Personnel handling PHI are responsible for adhering to HIPAA regulations and protecting clients' rights and information.
HIPAA compliance includes more than just the doctors who provide the medical care. For example, suppose you are a customer service associate for a health insurance company or work at the front desk of a doctor's office and schedule patients' appointments. In that case, you are responsible for understanding and adhering to HIPAA regulations and protecting patient information.
So, Is Text Messaging HIPAA Compliant?
Standard unencrypted SMS messaging is only HIPAA compliant if the patient has specifically requested and consented to receive PHI in writing, written warnings have been provided, and basic safeguards are in place.
The main concern with SMS messaging is the lack of encryption, audit controls, and access controls. Standard mobile devices do not provide the technical safeguards to ensure that only authorized individuals can access the information. Plus, mobile devices can be lost, stolen, and hacked for information that can be used to commit insurance fraud too easily.
Carrier's servers can also easily intercept text and are susceptible to data breaches, which leaves sensitive information extremely vulnerable. HIPAA-compliant text messaging requires secure messaging, typically unavailable for standard SMS text through a mobile carrier.
Suppose an app or messaging platform is configured to comply with the appropriate technological safeguards of the Security Rule. In that case, they may be used to text patients messages containing e-HPI as long as they have provided written consent. For example, features like event logs to track who accesses the information and end-to-end encryption are just a few of the technological safeguards required for a messaging platform to qualify as HIPAA compliant.
What Information Can You Communicate Via Text?
While standard SMS
business text messaging is not considered HIPAA compliant, there are certain types of information and situations where text messaging does not violate HIPAA standards:
Non-Specific Appointment Reminders/Confirmations
To confirm appointments or send appointment reminders via SMS text messaging, the message must be vague and include no specification for the appointment. For example, reminding the patient that their annual checkup is coming up would violate HIPAA regulations because the message consists of details disclosing the specific service the patient receives at their visit.
Billing Reminder
Billing reminders are acceptable to send via text; however, the reminder cannot include specific billing information like the bill total or the details of the service being covered. Reminders like this can only indicate that a bill remains to be paid and where to go to pay the remaining bill, such as a patient portal.
Indication of Available Test Results
Offices can notify patients that test results are available via text but cannot provide the actual results within the message; they can only refer the patient to where they can safely and legally review the results. Similar health information, like medical and immunization records, must be kept within a secure HIPAA-compliant platform and never sent to patients through text.
Survey Request
Healthcare offices are permitted to send general review requests where patients can leave a standard review without violating HIPAA; however, they cannot ask the patient to rate their experience with a particular doctor as that reveals specific information regarding the patient's visit.
Can slyText Be Used in the health industry?
SlyText is a business text messaging service that can be used as an excellent patient communication tool so long as its use complies with HIPAA regulations. It can be used as a mass notification system to send appointment confirmations, notify patients of cancellations, or other reminders. SlyText's other features include customer opt-out, call forwarding, and list upload capability.
Conclusion
HIPAA, or the Health Insurance Portability and Accountability Act, requires specific standards and procedures for how covered entities use and disclose PHI and e-PHI under the patients' knowledge and consent.
Healthcare professionals and anyone who must access PHI to perform their job are responsible for protecting patient data and information and complying with HIPAA regulations.
It is important to note that when dealing with medical information, such as test results, health records, or other personal health information, standard SMS text messaging is not HIPAA compliant due to its lack of security and susceptibility to data breaches.
Healthcare industries may communicate vague, non-specific information through text, which includes appointment reminders and confirmations, billing reminders, notifications that test results are available, and general survey requests.