Text Reminders and Your HIPAA Obligations

In today’s practice climate, patients want more electronic contact and fewer phone calls. For some practices, this is easy because it is how the doctor grew up… with texting and emails. But for others, starting a new text or email reminder service can be more difficult, and they may turn to trusted advisors or a vendor to set it up and manage it for them. But be careful! You are dealing with Individually Identifiable Health Information (IIHI) and Protected Health Information (PHI) in those electronic communications, and therefore, the Health Insurance Portability and Accountability Act (HIPAA) rules for compliance come into play.

It is the responsibility of the provider to protect PHI

HIPAA, in general, does not restrict providers from using emails or text messages to communicate with the patient base. In fact, text messaging is one of the many things not directly addressed in HIPAA. Because it’s been around since the early 2000s, HIPAA is archaic in many ways. As a result, HIPAA HITECH (Part 3 of HIPAA that became effective in September 2013) filled in the gaps to bring the law up to speed for the changing landscape of electronic healthcare. It reaffirmed that it is the responsibility of the provider to protect PHI in all formats on all platforms and to provide an accounting of disclosure upon request by the patient. Many state HIPAA laws exceed the federal laws; therefore, it’s also critical to be aware of how your state manages PHI and IIHI rules.

If you use a text messaging service, you must have everything in writing to be HIPAA compliant. We recommend the following:

• Include information about how you use text messaging in your Notice of Privacy Practices (NPP) and outline the patients’ options on how it will be used
• Get a signed acknowledgment for the NPP to confirm that your patients understand all the information in the NPP and their rights according to it
• Make sure you have a solid Use and Disclosure agreement as part of your up-to-date HIPAA program. Provide patients an option to state what they do and do not want when it comes to text, email, or phone messages
• Include a statement on your intake form that states if the patient provides their wireless number, they are agreeing to receive calls and text reminders at that number. Provide a box to opt-out of this service for either voice and/or text. Be sure you know how to flag this in your software and then follow it implicitly. This is one of the most important policies and procedures of your HIPAA program.
• The use of mobile numbers is tricky. Because cell phone numbers change often, you MUST complete either a verification process at each visit or both verification and a signed acknowledgment. With the verification process, simply ask at sign-in if the phone number is still the same. Signed acknowledgment can be a simple statement in your intake form that reads: “I agree to notify staff immediately if my contact number changes and will not hold the provider responsible for text messages that are sent to the wrong number because of a lack of notification.”
• When texting reminders to the patient, IT IS VERY IMPORTANT to use only the most minimal amount of information. For example, use only first name or initials, the date and time of the event and nothing about the provider or clinic name. That way, should the text be received by an unintended party, it wouldn’t be possible to link who it is from or where the appointment is.

If you do use an outside vendor or your software company for texting services, ask them the following questions as part of your HIPAA compliance program for Business Associates:

• Who owns responsibility for the texting service? Is it the software company? Or is it through another third party such as ReviewWave? Obtain a signed Business Associate Agreement (BAA) from the third-party and be sure your BAA is up to date and has been properly updated for HIPAA HITECH. An out-of-date BAA is as bad as none at all.
• Do the text and email services fall under BAA with your software vendor? If not, who is the vendor? Obtain a signed Business Associate Agreement.
• Does the email come from the provider’s email or through the software company’s server? This is important! If the email looks like it is coming from the provider, but is processed by your software company, this would fall under the software company BAA. Yet, if it is linking to (integrating with) the provider’s email account, the provider could be submitting and receiving emails that are NOT encrypted which could be a HIPAA violation. Ask the software company: “if the emails are coming from my personal email account, what is the recommendation to make sure it is HIPAA compliant or encrypted?”
• Either way, verify that the email going out has a disclaimer in the signature (for not intended party).

This is a lot… and we know that. That’s because HIPAA is a lot! As a profession, we tend to gloss over it, but it is very important.

Raise your HIPAA game!

If you feel your current HIPAA program could use a review, remember, we do that for only $79.  (Only $39 for KMC University members!) Let us know if you’d like to have our certified specialists review your program, point out gaps and help protect you from unnecessary risk.