CPaaS, Messaging

HIPAA Compliance and SMS Texting: What You Need to Know

Christine Dohrmann
Christine Dohrmann
Share
Image for part 2 in a HIPAA blog series

Since the inception of smartphones texting has become a quick and easy way for people to communicate. Much of the population, including digital natives like Millennials and GenZ, prefers texting over other communication platforms. Texting has also emerged as the preferred way for people to receive information, and 80% of internet users have used their phones to look up health information. 

Why should you care?

Healthcare providers and hospitals can harness the power of SMS for: 

  • Appointment reminders: One physician office in Utah used patient management software to send text reminders to patients, reducing no-shows rate in half and eliminated 10 hours of reminder phone calls.  [source]. 
  • Medication reminders: A 2017 study published in the Journal of Medical Internet Research found text messaging medication reminders resulted in 14.2% improvement in patient adherence [source]. 
  • Surgery protocols: Sending out pre & post surgery patient protocol reminders could reduce surgical cancellations and preventable readmissions, which can cost hospitals up to $5,000 and $14,000 per event respectively [source] [source]

HIPAA Compliance and SMS Texting

As convenient as SMS texting can be, there are still clear parameters around the handling of PHI (personal health information). Covered entities looking to leverage texting should be conscious of opt-ins and what information they transmit over text in order to abide by the regulations governing PHI. Acquiring patient permission (an “opt-in”) to communicate is a necessary first step to adding texting as a communication channel.

Covered entities can use SMS to direct patients to a secure patient portal to view PHI and communications from their healthcare provider. SMS can also be used to enable two-factor authentication (2FA) to protect sensitive information.

Choosing a Provider for Texting in Healthcare

When choosing a provider for SMS text messages to patients, it is important to understand whether the provider stores message content on their server. If the service provider retains message content as standard procedure on their servers longer than reasonably necessary to complete the transmission of the message, they would be considered a business associate—and would need to sign a Business Associate Agreement (BAA) to provide messaging services to covered entities. 

Telecommunications companies may have random, infrequent access to PHI when they review whether the data transmitted over their network is arriving at its intended destination. Under the HIPAA Omnibus Final Rule, such random, infrequent access does not qualify the company as a business associate. However, it is still important to choose a provider that can provide sufficient security commitments to protecting data.  To avoid conflicts around HIPAA compliance, covered entities have options to protect PHI and allow them to leverage the power of text messaging. 

Use cases that don’t involve the transmission of PHI include: 

  • Appointment reminders 
  • Asking patients to call their office
  • Directing patients to secure patient portals
  • Two-factor authentication

Passwords are still one of the best ways to protect PHI, according to HIPAA Journal [source].  

Hospital networks, pharmacies, and other covered entities should align themselves with established carriers and service providers that have the knowledge and expertise to help them navigate emerging telecom options and maintain HIPAA compliance. An experienced provider like Bandwidth, that has a reliable network, can make sure those important messages get delivered correctly. 

As more patients begin to use smartphones to access their health information, their expectation is that providers deliver convenient omnichannel experiences. Text messaging is just one medium for that experience. In our next installment, we’ll cover what to consider when evaluating telephony providers.

Talk to an Expert Learn more about messaging

Read the whole series

Part 1: HIPAA, BAA, and Conduit Exception

Part 2: HIPAA Compliance and SMS Texting: What You Need to Know

Part 3: HIPAA, Telecommunications Redundancy, & Conduit Exception