Skip to content

SMS Marketing Simplified

Search Blog

10-Point Checklist for HIPAA Compliant Texting

checklist for HIPAA compliant texting

Engaging with your medical patients via text message is becoming a more common practice.

Patients not only prefer communicating with their healthcare professionals through SMS, but SMS response rates are almost 295% higher than phone call response rates, which means that you can have better and faster communication with your patients through text.

However, as a medical practice, you must comply with HIPAA (Health Insurance Portability and Accountability Act) laws, including phone calls and SMS texting. If you’re not sure how to integrate texting into your business model while remaining HIPAA compliant, we have all the information you need below.  

Is Texting HIPAA Compliant?

The short answer is that no, texting is not inherently HIPAA compliant. Certain measures need to be taken in order to ensure that messages are able to be sent and received in a safe and secure way. 

The Minimum Necessary Standard

The Minimum Necessary Standard is defined as “required to make reasonable efforts to ensure that access to PHI (Protected Health Information) is limited to the necessary information to accomplish the intended purpose of a particular use, disclosure or request.” Essentially, you want to disclose the least amount of PHI in order to fulfill any query or request.

A 10-Point Checklist to Ensure HIPAA Compliant Messaging

Below we will give you ten steps you can take to make sure you are fully HIPAA compliant when texting patients.

1. Obtain express written consent

You must get explicit permission from your patient to be able to message them. You can include a section in your intake paperwork that they can sign if they want to be opted into receiving SMS from your office.

2. Determine which employees can access patient conversations

Not everyone in your office needs to access all of your patients’ personal information. Nurses don’t need billing information, and the billing department doesn’t need to know about conversations between the patient and doctor. Set up separate channels for each department to ensure maximum discretion.

3. Provide written warning about the risks of unauthorized disclosure

When a patient receives private information from their doctor, there is always the risk that someone else will pick up their device and see personal details. In order to remain HIPAA compliant, you must warn your patients in writing about this risk and have the sign off on it.

4. Assign a unique user ID to each recipient

In order to prevent sending the wrong information to the wrong patient, you should set up a patient ID that is unique to them. It could be numerical, or include their last name or birth year.

5. Use a messaging platform with automatic log-off

It is important to utilize a timed session with an automatic log-off when user activity has stopped to prevent unauthorized people from accessing PHI.

6. Use encrypted messages

Regular phone-to-phone messaging is usually not encrypted, so you need to use a messaging platform that can encrypt sensitive messages in order to send patient data safely.

7. Use multi-factor authentication

Another tool you can use to ensure you’re corresponding with the correct recipient is multi-factor authentication. Have them verify their email, phone number or date of birth before you send them PHI.

8. Use the Minimum Necessary Standard

As stated above, your practice should be utilizing all the resources necessary to make sure that only the minimum amount of PHI is disclosed in order to complete the task or transaction regarding the patient.

9. Keep records of all text communications

In the event that you are audited, you should keep organized records of the communications you have with your patients and be prepared to present them when necessary. 

10. Ensure that you can remotely erase data if needed

Sometimes devices are lost or stolen, and in that case, it could put your HIPAA compliance in jeopardy. You need to make sure that you can remotely delete sensitive information that you have sent out.

Check out these 14 SMS Templates for Healthcare Business

7 Types of Health-Related Information You Can Safely Send 

There are some messages that you can send without fear of revealing sensitive PHI. As long as the PHI isn’t in the text itself, and requires the recipient to log in to an independent website or system, you can safely send the following texts:

  • Appointment reminders
  • Patient registration instructions
  • Pre- and post-operative instructions
  • “Test results are available in your patient portal” notifications
  • “Prescription ready for pickup” notifications
  • Home healthcare information and instructions
  • Review requests

Check out some Appointment Confirmation Templates!

Send HIPAA Compliant Text Messages With Texting Base

These days, everyone wants to communicate via text, and if you want to bring your healthcare practice into the modern era, integrating a HIPAA-compliant, secure text messaging platform can make communication faster and easier for both doctor and patient.

Find out how much an SMS platform can help your healthcare business by signing up for your free trial of Texting Base today!