Free Guide: Text Messaging Guide for Small Businesses
Table of Contents
    Subscribe to Our blog
    Stay up-to-date with the latest messaging how-to's, tips, guides and more.

    Guide to HIPAA Compliant Texting For Medical Offices

    Last updated August 9, 2020
    Business Text Messaging for Polls and Surveys

    Is SMS Text Messaging HIPAA Compliant?

    Text messaging (as a technology) is not HIPAA compliant. However, HIPAA doesn’t prohibit you and your medical office from sending text messages (like appointment reminders) to patients.

    You just need to be aware of some specific rules and best practices before you start texting.

    To send text messages to patients:

    1. Messages can’t contain personal health information (PHI) 

    2. Patients need to opt-in to messaging

    COVID 19 UPDATE: On March 17, 2020, the US Department of Health and Human Services (HHS) released a statement in response to COVID 19 on HIPAA enforcement discretion for healthcare providers. The statement gives greater discretion and flexibility to healthcare providers who serve and contact patients every day through communications technologies.

    Read More: Statement from the US Department of Health and Human Services

    Disclaimer: Please note that our advice is for informational purposes only. It’s not meant to substitute for advice from qualified legal counsel.

    What is HIPAA? What is Personal Health Information (PHI)?

    HIPAA stands for the Health Insurance Portability and Accountability Act (1996). HIPAA is an act designed to keep protected health information (PHI) and patient privacy safe. 

    For any messaging technology to be HIPAA compliant, all messages related to protected health information (PHI) need to be encrypted. Texts also have to be stored securely while in transit, not just while sending and receiving.

    PHI constitutes all individually identifiable health information. Any identifiers or information like first name, last name, birthday, or address are all considered PHI.

    Suggested Article: Summary of the HIPAA Security Rule

    Why You Need to Send HIPAA Compliant Text Messages

    Sending HIPAA compliant text messages matters because text messaging isn’t a secure messaging technology. 

    Telecommunications carriers store all text messages, texts aren't encrypted and most phones don’t have strong password protection.

    In the life of a text message, it goes through various carriers and gets stored on their servers. When a message is “at rest” the data is being stored locally on the recipient’s phone. This makes the content of a message vulnerable at every storage point.

    Additionally, mobile devices can also get lost or stolen. This exposes PHI to identify theft.

    HIPAA violations are also a serious affair. The penalties for HIPAA violations can range from $100 to $50,000 per day depending on the severity of the violation.

    Top 3 reasons why text messages aren’t HIPAA compliant:

    1. Telecom carriers store all text messages as data in a server

    2. Text messages (as a technology) aren’t natively encrypted

    3. Password protection on normal phones and text messaging apps isn’t secure enough

    Business Texting for Lawyers

    How to Send HIPAA Compliant Text Messages

    For your medical office to text patients, you first need consent. Consent applies to both transactional and promotional messages. You also need to make sure your text messages don’t contain any protected health information (PHI).

    Consent for Transactional and Promotional Messages

    Getting consent is a general text messaging best practice and just normal texting etiquette. It’s also a texting requirement that all healthcare organizations are subject to under the Telephone Consumer Protection Act (TCPA).

    To establish consent, you need to know the difference between transactional and promotional text messages for patient communication.

    Transactional vs. Promotional Messages

    Transactional messages establish implied consent. These texts help facilitate, complete, or confirm a previously agreed-upon business type transaction or relationship.

    Has your patient already scheduled an appointment with your office? If yes, then their consent is implied because of your already established transactional relationship. This makes it ok to text appointment reminders.

    Promotional messages require express consent. These are all the other texts that don’t directly involve an already existing business type transaction or relationship.

    Has your patient given you their express consent (written or verbally) to receive texts? If not, then you don’t have permission to send them promotional texts or share any medical information.

    Transactional Text Messages
    (implied consent)
    Promotional Text Messages
    (express consent - written or verbal)
    Appointment reminders Schedule next appointment
    Checkup reminders Advertising new services or products
    No-show / missed appointment reminders Health care tips
    Check in and room ready reminders Patient satisfaction surveys and polls

    TCPA Contact List Management

    Opt-in and Opt-out Management 

    All patients need a way to opt-in and out of text messaging from your office. This is part of the TCPA guidelines and best practices

    Many business text messaging platforms like SnapDesk have built-in opt-in and opt-out management systems. You get an easy and user-friendly way to see who has and hasn’t opted into messaging.

    If your office texts a patient for the first time, SnapDesk will automatically send an opt-out message. This message tells the patient how to opt-out of text messages by responding, STOP.

    If a patient opts-out and texts STOP, a guard is placed on their number. This prevents you and your office from texting the patient until they opt back into messaging.

    Suggested Article: Managing Opt-in and Opt-out with SnapDesk 

    HIPAA Compliant Text Message Templates

    Asking patients to confirm their appointments via text can improve your office’s appointment scheduling flow. You can reduce no-shows, prevent phone tag, and improve patient satisfaction.

    However, the only way to keep your texting HIPAA compliant is to never text personal health information.

    With each of the following HIPAA compliant text message templates, you’ll see that name is not included. Nor are the reasons for the appointment, the treatment, or specialty of the practice.

    Appointment Reminder Text Message Template:

    You have an appointment with {{ OrganizationName }} on {{ Date }}. Reply “yes” to confirm or “no” to cancel. Feel free to respond to this text with questions. When you arrive, you may come in or reply to this text to check-in. Please call {{ OrganizationPhone }} if you do not receive a response.

    Checked in Text Message Template:

    Thank you! We have you Checked In. We will let you know as soon as your room is ready. 

    No Show or Missed Appointment Text

    We missed you today! This is {{ OrganizationName }} notifying you that you missed your appointment with us on [ date ] at [ time ]. Please call us at {{ OrganizationPhone }}  to reschedule.

    Office Updates and Availability Text Message Template

    Please be advised that parking for {{ OrganizationName }} is currently limited due to roadwork. Please plan ahead accordingly. We apologize for any inconvenience.

    COVID 19 Guidelines Text Message Template

    Please review our COVID-19 Guidelines BEFORE your appointment. [ link ]

    Group Texting

    Patient Consent to Include PHI

    Not including PHI in your text messages keeps you HIPAA compliant. However, patients can still receive their medical information by text if they so choose.

    For this to happen, they must give your office express written consent. Your office will also need to document this clearly and explicitly tell the patient that text messaging is not secure.

    What Makes a HIPAA Compliant Text App:

    The HIPAA Security Rules do allow you to send patient information over open, electronic networks. This can only occur as long as all personal health information is adequately protected.

    To protect health information, a HIPAA compliant text app will have the following features. HIPAA compliant text messaging apps are also subject to the Health Information Technology for Economic and Clinical Health (HITECH) act.

    1. Have advanced password protection for all users (access controls)

    2. Limit access to personal health information for various office staff (audit controls)

    3. Encrypt all text messages (encryption)

    4. Have a Business Associate Agreement (BAA)

    Advanced Password Protection (Access Controls)

    Not everyone in your office needs access to full patient files. Access controls (like password protection) give your employees access only to the minimum PHI.

    Employees performing billing don’t need access to a patient’s medical information. Similarly, a nurse doesn’t need access to a patient’s financial information.

    Access controls give each employee unique login credentials and a designated level of access to perform their job function.

    Limit Access to PHI (Audit Controls)

    Audit controls monitor who and when and how long patient information gets accessed. This establishes normal access patterns that can be attributed to specific individuals. 

    Audit controls are important for detecting unauthorized access to PHI. For most traditional texting platforms monitoring access is not possible.

    Encrypted Text Messages (Encryption)

    There’s no such thing as secure text messaging. There’s only MORE secure text messaging. Yet, HIPAA mandates encryption for securing PHI. 

    Encryption is the strongest form of digital protection. It converts data into an unreadable form. To view it, you need a decryption key.

    Again, texting doesn’t allow for encryption because of the way the carriers handle texts. Texting (as a technology) can’t be encrypted. This means you can’t use texts to transmit personal health information.

    Business Associate Agreement (BAA)

    As part of your HIPAA text messaging policy, you need a signed business associate agreement (BAA). A BAA specifies “covered entities” and the protections that secure protected health information. It also mandates that both entities are within HIPAA compliance. 

    Without a signed BAA, you can’t use a text messaging app to send PHI.

    Suggested Article: How to Choose the Best Texting App for Your Business or Organization

    Final Thoughts and Next Steps

    Ready to start texting your patients? SnapDesk is here to help with smarter, simpler text messaging for medical offices, dental offices, and private practices.

    Visit our learning center for information on how to get started with SnapDesk. You’ll find a quick start guide to texting, a features overview, and an explanation of what SnapDesk is.

    You’ll also want to check out our list of free SMS text message templates. Just copy and paste to start texting.

    Finally, feel free to start a 7-day free SnapDesk trial with 50 free text messages.