Providers who follow HIPAA standards will be able to text patients and clients and reap all the benefits associated with it, such as increased patient loyalty, referrals, and revenue. Patients and clients often prefer texting, but it falls on the provider to assure policies in accordance with HIPAA-compliant texting. The use of texting in healthcare practices spans numerous aspects, including scheduling appointments, providing ongoing care, realt0ime reporting and more. The purpose of texting is to communicate with patients and clients, but providers should ensure that they stay within the HIPAA standard guidelines. Text messages containing personal health information (PHI) about a patient or client can be particularly risky. Therefore, it is essential to safeguard privacy.
Using the five best practices mentioned below, healthcare providers can ensure HIPAA-compliant texting while also fulfilling patients’ demands for convenient care.
- Always use a HIPAA-compliant texting platform. While iMessage and Android Messages (Android Chat) are conveniently built into many mobile devices, laptops, and even desktops through apps available today, they are not HIPAA-compliant. The US and many other countries require healthcare practitioners to only use technology that protects privacy by laws such as HIPAA in the US and PIPEDA in Canada. For a list of such technologies available in the US and beyond, see TBHI Telehealth.org’s Buyer’s Guide. You will find many video platforms now include chatting features, which are legally secure. You may want to thoroughly investigate chat systems that are installed on your website by independent web developers, as they may not be as secure as required. For example, some chat features will send you an email to notify you of a chat on your website, but your website itself, the chat feature, or your email may not be private or secure, and therefore will not meet HIPAA requirements. More specifically, an email that is automatically sent to you (or by you) via a non-HIPAA-compliant Gmail, Yahoo, or Hotmail account is not HIPAA-compliant, for example. Every leg of the communication must be secured to meet both federal and state laws, as well as ethical mandates. The safest way to proceed with texting is to install a secure and encrypted text messaging platform. To keep patient’s data secure, a platform that encrypts text messages is an excellent way to keep data breaches at bay. Providers should, therefore, ensure messages are permanently archived and encrypted so that any third party is unable to access them. It will take layered security to maximize your protection, which you can only obtain with a secure text messaging platform that follows the HIPAA standard guidelines.
- Obtain a Business Associate Agreement (BAA) for every software used. Related to the suggestion offered above, if you are a healthcare professional in the US, you are legally required to obtain such BAAs for each software used to communicate with clients and patients. It may be of interest to note that non-secured email can be used in healthcare, but a signed Informed Consent outlining risks must be obtained prior to using non-secure email. See “HIPAA Compliant Email for Therapists” for details. Releases such as those for email are not allowed for text messaging.
- Require clients and patients to opt-in for text messages. The act of sending texts to patients without their consent is a liability and can violate the HIPAA Privacy Rule in the US. You can obtain consent from patients by asking for it as part of your Informed Consent discussion. It is wise to include a clause about this consent in your Informed Consent document as well. Additionally, prior to texting about their care, providers should ask permission to share PHI with them.
- Ask for proof of identity. The text must reach the appropriate patients or clients. Thus, providers must verify their identities by requesting basic information such as their date of birth, asking to see at least one if not two government-issued IDs or other forms of documentation, such as a driver’s license, military ID, passport, utility bill, etc.
- Document the authorized employees with access. Ideally, authorized employees would include front desk staff, healthcare providers, and office administrators who handle communication. For example, it is unnecessary for staff from the billing and collections division to see clinical notes. Thus, it is imperative to determine which team members should have access to PHI and who should be managing them on a day-to-day basis. To communicate directly with patients or clients, departments should each have their dashboard. Also, keeping patient-centered care in mind, it is important to remember that patients and clients need to know who is contacting them and why. It is equally important for administrators to determine who on staff said what, when, and to whom. If you provide services to US citizens, it may be worth noting that each of your staff members must provide you with a Business Associate Agreement, reflecting their acknowledgment of HIPAA laws and their agreement to abide by them.
Texting can be used to transmit advice and expert tips — The care team can engage patients and clients via texting even when they don’t have an urgent appointment. Using texting according to established competencies can help transmit caring and build patient and client loyalty. As long as providers remain HIPAA-compliant and follow evidence-based protocols for best practices, they can securely and ethically use texting to support clinical care. Benefits include stronger client loyalty, more referrals, and enhanced revenue.