SMS & HIPAA: How to Handle Texting at a Medical Practice

June 08, 2020
Written by

SMS HIPAA Texting at a Medical Practice

If you are a physician or manage a medical practice, sending SMS messages to patients carries a lot of upside. These forms of communication can minimize no-show appointments, improve interactions between provider and patients, and even provide more effective care/dosage instructions—all while saving your practice resources.

But healthcare SMS and text messaging is far from a turnkey process. Because the information contained in these messages could be considered protected health information (PHI), sending SMS messages needs to comply with the strict requirements outlined in HIPAA. In the event of a breach, PHI could be exposed, and your practice could face penalties and fines. Breaches can also damage patient trust in the practice or physician.

Let’s examine the potential benefits of adding SMS to your medical practice communications, how to do so in a manner that supports HIPAA compliance, and key considerations when choosing a HIPAA-eligible SMS provider.

How healthcare providers are using SMS

The most apparent benefit for many healthcare providers is that SMS reminders help patients keep appointments and reduce no-shows. Automating recurring tasks, such as appointment reminders, also frees up the time of an office manager or receptionist.

But texting with patients is more than just reminding them to come in or confirm their appointment. It is becoming a way to provide more complete and ongoing care with patients as well. Medical practices also use SMS to remind patients to take their medicine, perform digital health surveys, and even provide surgery protocol and instructions.

End-to-end patient engagement platform Cipherhealth needed a way to quickly provide healthcare providers with a screening and outreach system to better allocate limited resources. Learn more.

Healthcare brands and practices are also using SMS to provide emergency and crisis communications. Learn more about how brands are adopting this use case by reading A Quick Guide to Alerts and Notifications During Global Pandemics and Other Crises.

What if you have a last-minute cancellation and want to open that time slot up to others who may be on a waitlist or had to take a later appointment? This is another excellent use case for having SMS and texting capabilities on hand. Instead of making individual phone calls, leaving voicemails, and dealing with the hassle of over the phone appointments, you could integrate your appointment system with your SMS so that the patient can confirm a new appointment time with a single word response.

SMS technology also lets healthcare providers communicate wait times with patients. Providing accurate waitlist times sets clear expectations with the patient if you have a practice that provides walk-in appointments—it’s like when you put your name down at a trendy restaurant and they text you when your table is ready.

New use cases for healthcare SMS are frequently emerging, and the healthcare industry has been one of the leading adopters of SMS.

Is text messaging HIPAA compliant?

You probably wouldn’t have read this far if the short answer was yes. Protected Health Information (PHI) is held to a higher security and privacy standard than other types of information, which is the crux of the HIPAA and texting challenge.

SMS is not inherently a not secure form of communication. This is because text messages are delivered to and from personal mobile devices in an unencrypted manner, and there is no way to ensure that the messages aren’t accessed by those other than the intended recipient once it reaches the mobile device. Furthermore, the telecommunications providers that transmit these messages are not subject to HIPAA regulations.

Note: HIPAA rules only apply to communications containing PHI so any messages sent without PHI are not subject to the same scrutiny.

But this doesn’t mean that SMS can’t be used in a compliant manner if the provider takes the necessary steps to acquire opt-ins and protect PHI.

How can I use SMS in a compliant manner?

HIPAA does not specifically state that SMS can be used to send ePHI to patients. However, Roger Severino, Director of the US Department of Health and Human Services Office for Civil Rights (OCR), the HIPAA enforcement agency, has commented that sending PHI to patients via SMS is ok so long as patients are warned that texting is not secure, gain the patients’ authorization, and document the patients’ consent.

Although Severino’s comments have not been officially sanctioned in the form of HIPAA policy, this is in line with what the 2013 HIPAA Omnibus Final Rule allowed in regard to sending ePHI to patients through unencrypted email.

Other best practices to implement might include:

  • Verify the phone number upon entry - if the phone number is being captured electronically, establish a two-factor authentication process to send a four or six digit code to the patient to verify their identity and mobile device;
  • Periodically double check when the patient comes in for a visit to verify that you have the right phone number on file;
  • Leverage a SMS provider that provides HIPAA-eligible tools that enable you to build your SMS use case with safeguards when feasible.

Note: the above is not official legal advice from Twilio. We recommend consulting with legal counsel when setting up SMS communications at your practice.

Choosing a HIPAA-eligible SMS provider

When choosing a vendor to help communicate with a patient via SMS, you likely want to consider whether that vendor can support your legal obligations under HIPAA and otherwise.

You might also look at certain feature sets that would benefit your practice’s unique needs. For example, some allow tiered access and administration controls of your practice’s PHI. And with any product or service you consider purchasing, what does the support system look like in the event that you need help with something like a breach?

Start communicating with patients using SMS

To move forward with Twilio as your message provider, you have to add a BAA onto your Terms of Service as well as ensure that you’re appropriately architecting for HIPAA. If you’re already a Twilio customer looking to add on a BAA for HIPAA compliance, contact your account manager or request to talk to sales.

To learn more about how Twilio is helping healthcare providers beyond just HIPAA, read on.