Paubox blog: HIPAA compliant email made easy

When is texting patients a HIPAA violation?

Written by Sara Uzer | July 14, 2023

Texting is a quick, easy, and effective way for healthcare providers to communicate with patients. However, text messages that contain protected health information (PHI) must comply with HIPAA standards. 

 

What does HIPAA say about texting?

While text messages aren't explicitly covered by HIPAA, the Security Rule lists a set of requirements that apply to all forms of electronic communication. Under the rule, covered entities must protect patients' PHI by using "appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of this information." This includes taking measures to secure PHI at rest and in transit, limiting access to designated employees, and setting parameters on what can be done with this sensitive information.

Therefore, texting patients can be a HIPAA violation if the proper safeguards are not implemented.  

Here are some ways to make sure your text messages to patients are HIPAA compliant. 

 

Obtain patient consent 

Texts that include PHI are considered a HIPAA violation if the patient has not consented to this type of communication. That is why obtaining patients' written permission is critical before moving forward with text messaging. 

  • Create texting consent forms and include them in your patient intake process. Be specific about the scope and purpose of texting and explain what information may be shared in this manner.  
  • Patients should also be fully informed about the potential risks of text messaging, such as the chance of unauthorized access. 
  • In addition, make sure to note that patients have the opportunity to opt out of text messaging at any time.
  • Finally, document the warning and patients' written consent. 

 

Use a HIPAA compliant service

Security features are limited on personal phones, which leaves patient data increasingly susceptible to exposure. These devices are more likely to get stolen or lost, and there is no way to erase texts remotely. 

The Security Rule requires access controls, audit controls, and encryption to secure PHI, and these robust features are typically not available through standard texting platforms. 

Therefore, it is required to sign a business associate agreement (BAA) with a HIPAA compliant messaging service. A signed BAA acknowledges the obligations of the business associate in protecting this sensitive information.

HIPAA compliant platforms have security features to protect patients' private information. Administrators can also wipe data from missing devices to prevent the malicious use of PHI.

 

Limit PHI in texts

Even with stronger security measures, following the Minimum Necessary Standard component of HIPAA when texting patients is still a best practice. This involves using the least amount of information necessary when discussing a patient's care over text. 

Leave out any identifying details on the patient's specific condition, treatment plan, or test results. Sticking to non-sensitive, essential information helps reduce the chance of a PHI breach. 

 

Establish clear texting policies for your practice

Put detailed policies in place that guide the use of text messaging for patient communications. Include protocols on when texting is appropriate and what can be shared. In addition, train employees on cybersecurity best practices and password management. Staff members should also learn the consequences of insecure texting, as well as how to identify potential security threats and report them quickly.

Texting patients is not specifically prohibited under HIPAA, but failing to implement the appropriate safeguards can lead to a HIPAA violation. Using a HIPAA compliant platform, limiting PHI in text messages, and enforcing clear policies to employees is crucial to keeping these patient communications secure.