06. 15. 22
Did you know that federal law mandates that you perform an annual HIPAA risk assessment to maintain compliance with text messaging and other patient guidelines? Indeed, text messaging has become the preferred form of communication for millions of people across the world, and each day more and more businesses incorporate texting into their client experience. The reasons are clear: text messaging is a very fast, very efficient way to communicate with customers and to almost guarantee they see your message. Businesses, of course, follow certain rules and regulations when contacting customers or prospects. Healthcare organizations must abide by those same rules and have the additional responsibility of maintaining compliance with HIPAA and Federal Communications Commission (FCC) guidelines.
HIPAA does allow text messaging, so the question becomes what’s needed to stay compliant when texting a patient. Here are four guidelines to follow before pressing the send button.
1. Written Consent is Mandatory: Sending an unauthorized text to your patient is a violation of both FCC regulations and HIPAA law. In addition, the patient must understand that they can opt out at any time.
2. Follow the Minimum Necessary Standard: This rule should be followed by your staff any time PHI is involved. It simply means they are using the absolute minimum amount of information necessary for the patient’s care whenever accessing, discussing, or transmitting PHI. When possible, send the message with NO PHI.
a. For example: Appointment reminders can be limited to “This is a reminder that you have an appointment today. If you cannot make the appointment, please call to reschedule. Reply Stop to Opt-Out.”
3. Implement Monitoring and Reporting Controls: Have a very clear trail that shows who sent the message, when it was sent, and to whom it was sent. Patient communication of any form should be monitored regularly to identify suspicious activity as soon as possible.
4. Enforce Your Policies and Procedures: Make sure your entire staff has access to and has been trained on the office’s HIPAA policies, specifically all those pertaining to PHI and information security. Use your workstation use log to document.
First, what is proper consent?
Prior to sending the first message to a patient, you must obtain agreement from the patient to communicate with them – this is referred to as “consent”. You must make clear to the patient they are agreeing to receive messages of the type you’re going to send.
You need to obtain a record of the consent, such as a copy of the document or form that the message recipient signed, or a timestamp of when the customer completed a sign-up flow (e.g., digital patient intake forms).
For example, many healthcare practices capture patient communication preferences and consent for text messages during new patient registration. A single consent form may be used at any time. Or, a section is provided within the new patient registration form package as shown below.
Regardless of the method, proof of opt-in consent should be retained as best practice, even after the patient opts out of receiving messages.
While consent is always required and the consent requirements above are generally the safest path, there are two scenarios where consent can be received differently.
Not only must your text messages be HIPAA compliant, but they must also comply with FCC Telephone Consumer Protection Act (TCPA) and Cellular Telecommunications Industry Association (CTIA) messaging principles and best practices.
Rulings and regulations implemented by the FCC may relate to specific requirements based on federal law, while wireless carriers and communication platforms may have more stringent policies for sending text messages (SMS) through their networks. Consent and revocation of consent are required.
A2P, or application-to-person messaging, is any kind of traffic in which a person is receiving messages from an application. A2P messaging includes (but is not limited to) marketing messages, appointment reminders, chatbots or virtual assistants, notifications, and one-time passwords (OTPs) or PIN codes.
Because U.S. carriers require user consent to send messages under A2P messaging, it is imperative that healthcare practices using SMS services develop a policy of ensuring patient consent, as with HIPAA rules, before sending patients text messages.
Ultimately, U.S. carriers determine which messages are delivered to their customers, the end consumer. Failure to abide by the CTIA messaging principles and best practices can result in message filtering and phone number blocking by carriers.
There are several ways Rectangle Health helps to ensure compliance and to avoid message filtering by the carriers:
Anything that is illegal in the jurisdiction where the message recipient lives is prohibited and will be blocked even if you obtained consent from the receiving party. Examples include:
Following all the steps outlined in this article will help to protect your practice and your patient but there is still an inherent risk in text messaging. Remember, anybody can pick up an unattended mobile device and read the messages on it. Furthermore, mobile devices can be lost or stolen – which not only potentially exposes PHI to unauthorized access, but the information in the messages can be used to commit insurance fraud or identify theft. Be sure your practice knows and complies with the Minimum Necessary Standard and the physical, technical, and administrative safeguards of the HIPAA security rule.
As the nation’s leader in HIPAA compliance for small to mid-size practices, we receive thousands of calls each month related to HIPAA issues. We’ve heard it all, and it’s our privilege to have assisted with all kinds of scenarios – from helping pediatric dentists understand parental authorization rights when the parents are divorced, to helping fertility clinics determine how to reply to a negative review. While this article covers a specific area of HIPAA compliance, as a Rectangle Health client it would benefit you greatly to take advantage of our compliance offerings. Click here for a complimentary HIPAA risk assessment (federal law mandates that you take one every year.) If you have a pressing question, call our compliance department at 1-800-588-0254. We look forward to hearing from you!