To SMS or to not SMS is a HIPAA question.
We all understand that SMS is the #1 communication channel in the world. No one picks up the phone to answer a call, emails are not read. SMS is the way to go.
But for healthcare professionals, the most common question for SMS is if SMS is HIPAA compliant.
The answer can be either yes or no.
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a United States federal statute enacted by the 104th United States Congress and signed into law by President Bill Clinton on August 21, 1996. HIPAA sets the standard for sensitive patient data protection. Companies that deal with protected health information (PHI) must have physical, network, and process security measures in place and follow them to ensure HIPAA Compliance.
If the text messages to a patient contains no PHI information, the HIPAA compliance does not apply. The most common use case is a SMS appointment reminder. Per this study, appointment no-shows cost the U.S. health care system more than $150 billion a year and individual physicians an average of $200 per unused time slot. This is just in the health care industry alone.
It is safe to send out SMS appointment reminder by a health care provider as long as there is no PHI information in the appointment reminder.
If there is PHI information, SMS must be operated in a compliant manner. Let’s look at how HIPAA law is written.
2013 HIPAA Omnibus Final rule
In 2013 HIPAA Omnibus Rule it allowed sending ePHI to patients through unencrypted email. You can think that SMS is the equivalent of an unencrypted email. See the content of the rule below.
Comment: Several commenters specifically commented on the option to provide electronic protected health information via unencrypted email. Covered entities requested clarification that they are permitted to send individuals unencrypted emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email. Some felt that the ‘‘duty to warn’’ individuals of risks associated with unencrypted email would be unduly burdensome on covered entities. Covered entities also requested clarification that they would not be responsible for breach notification in the event that unauthorized access of protected health information occurred as a result of sending an unencrypted email based on an individual’s request. Finally, one commenter emphasized the importance that individuals are allowed to decide if they want to receive unencrypted emails.
Response: We clarify that covered entities are permitted to send individuals unencrypted emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email. We disagree that the ‘‘duty to warn’’ individuals of risks associated with unencrypted email would be unduly burdensome on covered entities and believe this is a necessary step in protecting the protected health information. We do not expect covered entities to educate individuals about encryption technology and the information security. Rather, we merely expect the covered entity to notify the individual that there may be some level of risk that the information in the email could be read by a third party. If individuals are notified of the risks and still prefer unencrypted email, the individual has the right to receive protected health information in that way, and covered entities are not responsible for unauthorized access of protected health information while in transmission to the individual based on the individual’s request. Further, covered entities are not responsible for safeguarding information once delivered to the individual.
How to use SMS with HIPAA compliance?
Based on the above rule, it is ok to send PHI to patients via SMS as long as the following requirements are met:
- Patients are warned and notified that texting is not secure.
- The health provider gains patient authorization.
- The health provider documents patient consent.
Other encouraged practices include:
- Make sure you have verified the patients’ identity and make sure the patient has the access to the mobile phone. You may send a OTP (one time passcode) to the mobile phone number to establish the initial contact.
- Update the mobile phone number on file if the patent changes his number and check his up to date mobile number during an office visit.
A few use cases of HIPAA compliant text messages:
- Welcome Message
Here is an example first message for HIPAA compliance:
This first messages are great as it clearly asks for the consent, state the risk and give patient a way to opt out your text message.
- Appoint Reminder
SMS appointment reminder is one of the most frequently used features in healthcare industry. It is simple and effective.
- Patient Follow up.
Send out follow up text message to patient.
- Video chat, tele-medicine
During the pandemic, tele-medicine becomes popular. You can have a video chat with your patients using our video chat product. Your patient can join the video call without install any App. This is especially helpful for older patient which is not tech savvy. The video chat happens during a regular text message conversation and it feels natural. As a healthcare provider, you do not have use personal mobile phone for face time or install complicated software for video conference.
Pick a HIPAA compliance service provider
When you choose a vendor to send a two way SMS to patients, you must ensure the vendor is in HIPAA compliance.
WikiPro achieves HIPAA compliance and our solution can help health care professionals to text, engage and convert with patients.
Send a text to 626-243-2796 for a free demo.