Is Text Messaging Ever HIPAA-Compliant?
By Greg Freeman
Executive Summary
Text messaging can be used for HIPAA protected health information, but only in certain circumstances. Covered entities should have a policy on text messaging.
- Get consent from the patient.
- Confirm the patient’s number.
- Secure messaging apps can be helpful.
Text messaging is so convenient and common that it is tempting to use it for communicating with patients. But HIPAA applies, and the use of text messaging is allowed only when meeting some strict requirements. Standard phone text messaging is conducted on what is considered a nonsecure channel because the contents of the message are not encrypted in motion, explains Brendan McClure, chief marketing officer with mPulse, a healthcare technology company in Los Angeles. Similar to the use of email, there are no hard and fast rules around what you can and cannot do with text messaging, but HIPAA explicitly says that you can use nonsecure electronic chat communication channels to communicate with patients and potentially include protected health information (PHI), he says.
“It doesn’t say exactly what PHI you can include, what types of messages that can include, so where we end up is a place of interpretation,” McClure says.
One important note is that, if a patient reaches out to a healthcare provider using a nonsecure channel like texting or email, that individual is agreeing to continue the communication in that channel, McClure explains.
“So, for example, if I were to email my doctor ... and talk about a health condition, I’ve essentially demonstrated to the physician that I’m comfortable using that channel to talk about that topic, and the physician can continue communication that way,” he says. “The same applies to text messaging.”
Even when the patient has agreed to text messaging, it is essential to confirm the receiver’s identity before transmitting PHI, says Greg Gould, senior solutions engineer with mPulse in St. Petersburg, FL. That typically involves confirming several data points with the person on the other end before sending the information. “We consider that phone number that’s provided by the healthcare provider to be a first piece of correctly identified information. We would then send out a message where we would refer to somebody by their name, which is just to help identify them, help them understand the message is for them,” Gould says. “We identify where the message is coming from, tell them that we have a health message relevant to them that we’d like to share with them, and then ask them to confirm or validate their date of birth.”
Conditional language also can be useful. When reaching out to a diabetic patient about the need for regular screenings, for example, Gould says the phrasing of the message can avoid some issues with PHI.
“We can say ‘Hello patient, this is your health plan and we’re reaching out to you because you may — if you have diabetes — be due for your diabetes screenings,’” he says. “That’s one way that we’ve handled that in the past and that health plans have. In that way, what we say is we’re not actually stating that this patient has diabetes.”
Confirm Phone Number
While text messaging solutions may be deployed in accordance with HIPAA requirements, providers should take reasonable steps to confirm that the phone number to be used is in fact the number provided by the patient and limit the amount of PHI that is contained in a text message, says Katherine Hyde, JD, an attorney with the Coppersmith Brockelman law firm in Phoenix. Circumstances in which communicating electronic PHI by text message is permissible include when a patient has requested that a covered entity communicate by text message, the covered entity has advised the patient of the risk of unauthorized disclosure, and the patient has consented to receive communications by text message, she says. In addition, Health and Human Services may waive certain HIPAA rules for text messaging after a natural disaster.
There also are secure text messaging solutions that achieve HIPAA compliance by integrating the technical safeguards required by the Security Rule. These HIPAA-compliant text messaging apps offer the convenience of text messaging with added security, monitoring, and message accountability, she says. If text messages are secure, as required for all electronic communications that contain PHI, then texting may be used in healthcare settings, says Layna Cook Rush, CIPP/US, CIPP/C, shareholder with the Baker Donelson law firm in Baton Rouge, LA. Text messages that contain PHI must be secure in accordance with the HIPAA Security Rule. Most Short Message Service/SMS messages are not secure, since they are not encrypted and could be intercepted, she says. When contracting with a vendor that offers a secured texting platform, it is important to execute a business associate agreement with the vendor, since the vendor likely will have access to the PHI that it is transmitting on behalf of the covered entity, she says.
In 2018, Centers for Medicare and Medicaid Services (CMS) issued guidance that called into question the practice of provider-to-provider texting, but CMS has since changed its policy and stated that provider-to-provider texting is permissible if the texts are secured, Rush explains. Additionally, the Office for Civil Rights has issued guidance that was directed at unsecured emails that allows unsecured communications with the patient if the patient is informed of the risks associated with unsecured communications and consents to the communication despite the risk.
“That rationale should likewise apply to unsecured texts,” she says. “A provider can send an unsecured text to a patient that contains PHI if the provider has explained the risks of sending the information unsecured and the patient has expressly consented to receive the unsecured text.”
To be HIPAA-compliant, the messages must be made by, or on behalf of, a HIPAA-covered entity or its business associate, explains Paul F. Schmeltzer, JD, senior attorney with the Clark Hill law firm in Los Angeles. The text messages must deliver a healthcare message addressing care, services, or supplies related to an individual’s health.
The text messages must clearly state the name and contact information of the healthcare provider and offer recipients the opportunity to opt out of future messages, he says. The option to opt out can be communicated by instructing recipients to reply “STOP.” The text messages cannot include any telemarketing, solicitation, advertising, accounting, billing, debt-collection, or other financial content, Schmeltzer says.
Sources
- Layna Cook Rush, CIPP/US, CIPP/C, Shareholder, Baker Donelson, Baton Rouge, LA. Telephone: (225) 381-7043. Email: [email protected].
- Greg Gould, Senior Solutions Engineer, mPulse, St. Petersburg, FL. Email: [email protected].
- Katherine Hyde, JD, Coppersmith Brockelman, Phoenix. Telephone: (602) 381-5471. Email: [email protected].
- Brendan McClure, Chief Marketing Officer, mPulse, Los Angeles. Email; [email protected].
- Paul F. Schmeltzer, JD, Clark Hill, Los Angeles. Telephone: (213) 417-5163. Email: [email protected].
Text messaging is so convenient and common that it is tempting to use it for communicating with patients. But HIPAA applies, and the use of text messaging is allowed only when meeting some strict requirements.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.