Engaging with your medical patients via text message is becoming a more common practice.
Patients not only prefer communicating with their healthcare professionals through SMS, but SMS response rates are almost 295% higher than phone call response rates, which means that you can have better and faster communication with your patients through text.
However, as a medical practice, you must comply with HIPAA (Health Insurance Portability and Accountability Act) laws, including phone calls and SMS texting. If you’re not sure how to integrate texting into your business model while remaining HIPAA compliant, we have all the information you need below.
The short answer is that no, texting is not inherently HIPAA compliant. Certain measures need to be taken in order to ensure that messages are able to be sent and received in a safe and secure way.
The Minimum Necessary Standard is defined as “required to make reasonable efforts to ensure that access to PHI (Protected Health Information) is limited to the necessary information to accomplish the intended purpose of a particular use, disclosure or request.” Essentially, you want to disclose the least amount of PHI in order to fulfill any query or request.
Below we will give you ten steps you can take to make sure you are fully HIPAA compliant when texting patients.
You must get explicit permission from your patient to be able to message them. You can include a section in your intake paperwork that they can sign if they want to be opted into receiving SMS from your office.
Not everyone in your office needs to access all of your patients’ personal information. Nurses don’t need billing information, and the billing department doesn’t need to know about conversations between the patient and doctor. Set up separate channels for each department to ensure maximum discretion.
When a patient receives private information from their doctor, there is always the risk that someone else will pick up their device and see personal details. In order to remain HIPAA compliant, you must warn your patients in writing about this risk and have the sign off on it.
In order to prevent sending the wrong information to the wrong patient, you should set up a patient ID that is unique to them. It could be numerical, or include their last name or birth year.
It is important to utilize a timed session with an automatic log-off when user activity has stopped to prevent unauthorized people from accessing PHI.
Regular phone-to-phone messaging is usually not encrypted, so you need to use a messaging platform that can encrypt sensitive messages in order to send patient data safely.
Another tool you can use to ensure you’re corresponding with the correct recipient is multi-factor authentication. Have them verify their email, phone number or date of birth before you send them PHI.
As stated above, your practice should be utilizing all the resources necessary to make sure that only the minimum amount of PHI is disclosed in order to complete the task or transaction regarding the patient.
In the event that you are audited, you should keep organized records of the communications you have with your patients and be prepared to present them when necessary.
Sometimes devices are lost or stolen, and in that case, it could put your HIPAA compliance in jeopardy. You need to make sure that you can remotely delete sensitive information that you have sent out.
There are some messages that you can send without fear of revealing sensitive PHI. As long as the PHI isn’t in the text itself, and requires the recipient to log in to an independent website or system, you can safely send the following texts:
Check out some Appointment Confirmation Templates!
These days, everyone wants to communicate via text, and if you want to bring your healthcare practice into the modern era, integrating a HIPAA-compliant, secure text messaging platform can make communication faster and easier for both doctor and patient.
Find out how much an SMS platform can help your healthcare business by signing up for your free trial of Texting Base today!