Avoid these HIPAA mistakes when texting patients

While texting can make things a lot easier (and more profitable), it can also be easy to unknowingly violate HIPAA regulations.

Some of the highest-quality healthcare strategies nowadays include remote components and patients are increasingly wanting to communicate with their providers via text messages. Texting is a great way to keep up with matters such as payments, appointment scheduling, patient conversations, and earning valuable feedback for your practice.

Texting needs to be part of your patient communications, and you need to ensure that your healthcare organization meets the standards of the Health Insurance Portability and Accountability Act (HIPAA). While texting can make things a lot easier (and more profitable), it can also be easy to unknowingly violate HIPAA regulations.

So how do you stay compliant while texting with patients? Be sure to not make these five common mistakes.

Texting from a non-secure system

Patients and providers want to be able to text each other, but it can be unsafe to exchange sensitive information from just any old device. You will always want to avoid communicating with patients on a personal smartphone, or on a system where their information isn’t encrypted and can be accessed or intercepted.

Additionally, patients don’t want to download a separate app or log into a specific portal to ask questions or get updates—they just want to text you.

To text patients securely, you can implement a HIPAA-compliant text messaging platform that maintains government privacy and security standards.

A secure channel ensures that information is encrypted at every level, from physician to patient. Without a secure platform, you leave valuable patient information at risk.

Apart from encryption, it’s important that your texting solution will track the statuses of all messages, clearly identifying the sender and receiver, and safely integrating with your current practice management software.

Texting non-opt-in contacts

Before texting a patient, you need to make sure that they’ve given their consent to being texted by you. Texting patients who haven’t consented to text message communication can be a major violation of HIPAA standards, not to mention other regulations set by the Federal Communications Commission (FCC).

So how do you get patients to opt-in?

It’s easier than most people think. You can start by encouraging inbound traffic. Prompt patients to text you first, which you can do from your website. For example, use an SMS Chat on your homepage, or say “text us at [phone number]”.

Another way to get patients to opt-in is just to simply ask them.

On your web form, include a disclaimer that providing contact info gives you the right to communicate with them through those channels for an appointment and care-related communications. Add the same checkbox to any patient paperwork, and you’ll be surprised how quickly your opt-in list grows.

Patients also need to be able to opt-out of communications at any time. This holds true for text, but also for any other kind of communication. Most text systems include some sort of opt-out message or function.

Sharing PHI without permission

Patients want to be able to ask you questions and hold conversations through text, but you need to always make sure that they are confirmed and opted into sharing PHI via text.

Some patients will want to text with you just for scheduling and reminders, while others will want to text with you throughout their care (and after). PHI is sacred, so be sure to ask patients if they’re okay with texting you about their care.

How do you make sure this happens? You can start by adding it as a question on patient paperwork. For example: “Would you like us to text you about your care?”

As long as patients have opted in to receiving texts about care related to PHI, you're good to go.

Giving the wrong employees access

Without a secure platform, valuable PHI can be intercepted by anyone. An unattended mobile device can grant unauthorized employees access to your patient’s data, which can lead to consequences such as insurance fraud or identity theft.

Even a secure system can grant access to the wrong people. Make sure you are only granting access to authorized employees!

The “wrong employees” in this situation could be someone working in a different department or under a different provider.

For example, Employee X may be working in collections and doesn’t need to see the conversations Patient A had with the Provider about their patient care. Employee X just needs to text about collections.

Part of having a secure system is making sure users have the right permissions and access. It’s important to make sure that the appropriate personnel in your practice have access to those patient conversations.

Ensure that only authorized employees are communicating with patients. By assigning different phone numbers and different dashboards to each authorized employee, you can more confidently assume that patient communication will be secure.

Sending messages to the wrong contact

It can be easy to accidentally send messages to the wrong person when you are using a personal mobile device or even a secure platform, especially when you are in a rush.

Secure system or not, this is never acceptable. By the same token, you wouldn’t want to send an email to the wrong person or leave a voicemail on the wrong line.

This can result in unauthorized disclosure of PHI to the wrong people, violating HIPAA compliance.

To avoid these mishaps, it boils down to ensuring that your staff knows what they’re doing, and that you also have appropriate checks and balances in place. It’s imperative for them to exchange information with the correct person. Otherwise, you may be putting your patients and your practice at risk.

Confirm patient contact info every time they come into your office so that you always have their updated information. This way, you aren’t sending private information to the wrong person.