Are Your Text Messages to Patients Compliant?

Did you know that federal law mandates that you perform an annual HIPAA risk assessment to maintain compliance with text messaging and other patient guidelines? Indeed, text messaging has become the preferred form of communication for millions of people across the world, and each day more and more businesses incorporate texting into their client experience. The reasons are clear: text messaging is a very fast, very efficient way to communicate with customers and to almost guarantee they see your message. Businesses, of course, follow certain rules and regulations when contacting customers or prospects. Healthcare organizations must abide by those same rules and have the additional responsibility of maintaining compliance with HIPAA and Federal Communications Commission (FCC) guidelines.

HIPAA-Compliant Texting

HIPAA does allow text messaging, so the question becomes what’s needed to stay compliant when texting a patient. Here are four guidelines to follow before pressing the send button.

1.  Written Consent is Mandatory: Sending an unauthorized text to your patient is a violation of both FCC regulations and HIPAA law. In addition, the patient must understand that they can opt out at any time.

2. Follow the Minimum Necessary Standard: This rule should be followed by your staff any time PHI is involved. It simply means they are using the absolute minimum amount of information necessary for the patient’s care whenever accessing, discussing, or transmitting PHI. When possible, send the message with NO PHI.

        a. For example: Appointment reminders can be limited to “This is a reminder that you have an appointment today. If you cannot make the appointment, please call to reschedule. Reply Stop to Opt-Out.”

3. Implement Monitoring and Reporting Controls: Have a very clear trail that shows who sent the message, when it was sent, and to whom it was sent. Patient communication of any form should be monitored regularly to identify suspicious activity as soon as possible.

4. Enforce Your Policies and Procedures: Make sure your entire staff has access to and has been trained on the office’s HIPAA policies, specifically all those pertaining to PHI and information security. Use your workstation use log to document.

Consent / Opt-In

First, what is proper consent?

Prior to sending the first message to a patient, you must obtain agreement from the patient to communicate with them – this is referred to as “consent”. You must make clear to the patient they are agreeing to receive messages of the type you’re going to send.

You need to obtain a record of the consent, such as a copy of the document or form that the message recipient signed, or a timestamp of when the customer completed a sign-up flow (e.g., digital patient intake forms).

For example, many healthcare practices capture patient communication preferences and consent for text messages during new patient registration. A single consent form may be used at any time. Or, a section is provided within the new patient registration form package as shown below.

Regardless of the method, proof of opt-in consent should be retained as best practice, even after the patient opts out of receiving messages.

While consent is always required and the consent requirements above are generally the safest path, there are two scenarios where consent can be received differently.

1. Contact Initiated by an Individual: If an individual sends a message to you, you are free to respond in an exchange with that individual. For example, if a patient texts your practice asking for hours of operation, you can respond directly to the patient relaying your open hours. In such a case, the patient’s inbound message to your practice constitutes both consent and proof of consent. Remember that consent is limited only to that particular conversation. Unless you obtain additional consent, don’t send messages that are outside that conversation.
2. Informational Content to an Individual Based on a Prior Relationship: You may send a message to an individual with whom you have a prior relationship, provided that individual provided their phone number to you, has taken some action to trigger the potential communication, and has not expressed a preference to not receive messages from you. Examples of acceptable messages in these scenarios include appointment reminders, receipts, one-time passwords, and order/shipping confirmations.

Tips for Constructing Compliant Text Messages

1. Identify Your Practice as the Sender: Every message you send must clearly identify your practice (the party that obtained the opt-in from the recipient) as the sender, except in follow-up messages of an ongoing conversation.
2. Make Them Open the Text: Do not include identifying information or billing information in the first sentence of the message. This best practice minimizes the risk to the patient by preventing any unauthorized individual from viewing any PHI.
3. Opt-Out: The initial message you send to a patient needs to include the following language: “Reply STOP to Opt-Out”, or the equivalent using another standard opt-out keyword, such as UNSUBSCRIBE, CANCEL, END, or QUIT. When the patient opts out, you may deliver one final message to confirm that the opt-out has been processed.

FCC-Compliant Texting

Not only must your text messages be HIPAA compliant, but they must also comply with FCC Telephone Consumer Protection Act (TCPA) and Cellular Telecommunications Industry Association (CTIA) messaging principles and best practices.

Rulings and regulations implemented by the FCC may relate to specific requirements based on federal law, while wireless carriers and communication platforms may have more stringent policies for sending text messages (SMS) through their networks. Consent and revocation of consent are required.

A2P, or application-to-person messaging, is any kind of traffic in which a person is receiving messages from an application. A2P messaging includes (but is not limited to) marketing messages, appointment reminders, chatbots or virtual assistants, notifications, and one-time passwords (OTPs) or PIN codes.

Because U.S. carriers require user consent to send messages under A2P messaging, it is imperative that healthcare practices using SMS services develop a policy of ensuring patient consent, as with HIPAA rules, before sending patients text messages.

Ultimately, U.S. carriers determine which messages are delivered to their customers, the end consumer. Failure to abide by the CTIA messaging principles and best practices can result in message filtering and phone number blocking by carriers.

There are several ways Rectangle Health helps to ensure compliance and to avoid message filtering by the carriers:

1. The 10-digit phone numbers used to send SMS through the Practice Management Bridge^® platform (a “Peer-to-Peer” platform per the definition of the FCC) are registered under A2P 10DLC in the U.S.
2. Consent and revocation of consent are provided to all SMS recipients. Every text message is automatically appended with: “Reply STOP to Opt-Out”.
3. Upon receipt of a STOP message, the system automatically replies with a final message to confirm that the opt-out has been processed along with the instruction: “Type START to Opt-In.” The recipient must once again provide consent before you can send any additional messages.
4. Upon receipt of an Opt-Out message to the Practice Management Bridge platform, the mobile phone number that sent the Opt-Out message automatically becomes blocked and no further messages will be sent until the owner of that mobile phone number replies “START” to resubscribe.

Prohibited Uses of Text Messaging

Anything that is illegal in the jurisdiction where the message recipient lives is prohibited and will be blocked even if you obtained consent from the receiving party. Examples include:

• Cannabis: Messages related to cannabis are not allowed in the U.S. as federal laws prohibit its sale, even though some states have legalized it. Similarly, messages related to CBD are not permissible in the U.S., as certain states prohibit its sale.
• Prescription Medication: Offers for prescription medication that cannot legally be sold over the counter are prohibited in the U.S.

Following all the steps outlined in this article will help to protect your practice and your patient but there is still an inherent risk in text messaging. Remember, anybody can pick up an unattended mobile device and read the messages on it. Furthermore, mobile devices can be lost or stolen – which not only potentially exposes PHI to unauthorized access, but the information in the messages can be used to commit insurance fraud or identify theft. Be sure your practice knows and complies with the Minimum Necessary Standard and the physical, technical, and administrative safeguards of the HIPAA security rule.

As the nation’s leader in HIPAA compliance for small to mid-size practices, we receive thousands of calls each month related to HIPAA issues. We’ve heard it all, and it’s our privilege to have assisted with all kinds of scenarios – from helping pediatric dentists understand parental authorization rights when the parents are divorced, to helping fertility clinics determine how to reply to a negative review.  While this article covers a specific area of HIPAA compliance, as a Rectangle Health client it would benefit you greatly to take advantage of our compliance offerings. Click here for a complimentary HIPAA risk assessment (federal law mandates that you take one every year.) If you have a pressing question, call our compliance department at 1-800-588-0254. We look forward to hearing from you!

Related Posts on Security & Compliance

• Can I afford Cyber Insurance? Can I afford to not have Cyber Insurance?
• Focusing on phishing: What you need to know to recognize fraud
• Healthcare payment data security
• Keeping Online Review Responses HIPAA Compliant
• Preparing your practice for an OSHA Inspection/Investigation
• Are your text messages to clients compliant?
• 5 Policies to Protect ePHI

Adam Grantz

Adam Grantz is the Director of Compliance for Rectangle Health, where he is part of the team responsible for ensuring that our HIPAA, OSHA, and PCI policies and training modules comply with all Federal and State requirements.

He works to continually implement solutions and deliver services that protect medical and dental practices and their patients in the constantly evolving world of compliance and cyber security.

Experienced in the compliance industry, Adam has responded to over 50 data breaches and has helped guide practices through OCR and OSHA investigations. He strives to be there for practices when they most need a security professional and to help them navigate their way back from disaster.

Adam holds a bachelor's degree from SUNY Binghamton.