Are Text Messages HIPAA compliant?
If you work in the healthcare sector then text message marketing is different for you. Apart from the regular laws and the rules, your texts need to be HIPAA compliant. Read on to find out everything about are text messages HIPAA compliant.
Disclaimer: Any information in this article must be taken as advice only. The information is not a replacement for advice by a legal counselor.
What is HIPAA?
HIPAA stands for Health Insurance Portability and Accountability Act. The ultimate aim of the HIPAA act is to ensure that the personal health information or ‘PHI’ remains under protection. Out of the five titles in the act, the second is the administrative simplification act. This section covers in detail the mandating of organizations to protect the sensitivity and privacy of the patients’ private information.
The main outline is that the PHI remains safe and confidential. Hence, any channel that may store the PHI is not HIPAA compliant.
Text Messaging Risks
The use of text messages in the healthcare industry is vast and beneficial. However, the biggest concern is if it complies with the HIPAA rules. Since almost everyone uses a mobile device, the chances of PHI being accessed by third parties are higher. Moreover, text messages do not have encryption. This means that the process of sending involves points where the message is easy to access and stores in servers. For example, when it reaches mobile carriers, they may store it in their servers until they decide to get rid of it. These storage points can easily cause identity and personal information theft.
Since text messages are not enclosed, encrypted, or even protected with passcodes, they are not HIPAA compliant. However, this is when it comes to sending personal health information. There are still cases where text messages are HIPAA compliant.
Cases When Text Messages are HIPAA Compliant
While the laws against text messaging under HIPAA are very strict, there are a few ways how you can still use mass texting for healthcare. Just remember not to send out any PHI. These include patient identifiers like names, emails, and even birthdays.
Patients not showing up to appointments can be quite stressful to the healthcare professionals. Hence, you can use texts to remind them to show up to their appointment. Remember, you cannot add any personal information. A simple message asking them if they will show up is enough.
Another way you can use text messages is for feedback. You can use the two-way messaging service to request a quick rating on the patients’ experience.
- Inhouse communication
To ensure that the team of healthcare specialists is a well-oiled machine, in-house communication is important. Hence, sending updates like shift schedules, requesting on-call doctors, or other updates can make a difference.
- Prescription reminders
A very smart way to use text messaging is to remind patients on taking their prescriptions on time. However, this may be tricky. Simply send a message with a reminder instead of sending details of the drugs. Moreover, you can also remind them that they may need to get a refill soon.
Instances where HIPAA is Waivered Off
While it is entirely forbidden to send out personal health information, there are some instances where HIPAA is waivered off. These instances are quite rare and serve only a short period of time. The following are the cases where one can send PHI in messaging.
- Sign a BAA
If you wish to send patients their PHI over texting, then you have to sign a BAA. A BAA is a business associate agreement between the parties of the contract.
In easy language, this contract sets grounds to disclose personal information under written agreement. The contract should be transparent for both parties. Moreover, the reason for disclosing information on texts should be clear.
- Natural Disaster
Another case where HIPAA is waivered off on text messaging is at the time of a natural disaster. However, this is very conditional as well. You can send PHI through text messaging only when a natural disaster stops the patient from collecting time-sensitive PHI. For example, if a snowstorm causes everything to shut down. In this case, if the PHI is time-sensitive. Moreover, it may cause a dent in public or individual safety. The healthcare worker may send out the information to the patient in this case.
- With third-party servers
One of the major clauses in HIPAA is that one can send electronic personal health information only if the channel has encryption. Of course, this rules out text messaging. However, you can send a link on texts that redirects the person to a website or document that has encryption or requires a password. For example, a hospital may send lab results by attaching a link to their website. This link should have encryption and should be accessible with a password only. One cannot share the password through any electronic means since it comes under patient identifiers. Moreover, the link or password should not be accessible by your business associates such as coworkers or the hospital staff in general.
In all these situations, there is a common condition. The PHI should only be accessible by one associate. For example, the doctor cannot send it to the administration to send out the message. The information is for the concerned party only when sending it out.
Should healthcare professionals use texting at all?
Text messaging is one of the quickest ways of communication. Neglecting the use might set you back a few years.
When it comes to healthcare professionals, we understand that it is quite the confusion under the HIPAA act. Your best bet is to use it for stances other than sending out PHI. While you are sending mass texts, make sure to comply to basic texting rules. Only send messages to people that have given prior expressed consent.
Even though ExpertTexting is NOT HIPAA compliant, however you can reach out to us anytime for the workaround staying in compliance or if you have confusions or queries.