PART ONE
Pick a number (not just any number)
It’s time to choose a number type. For the sake of simplicity, this report focuses on number types used in the US and Canada.
4 in 10 patients are willing to switch providers based on which ones meet their communication preferences.
Given how important communication options are to patients, and given how preferred text messaging is for many kinds of communication, we’ve put together a fresh SMS guide for healthcare platforms looking to optimize a healthy text messaging strategy.
Our newest Patient Preferences report found that Texting is patients preferred method for receiving preventive care reminders, appointment reminders, prescription updates, and pre-appointment intake forms. Given that 44% of patients are willing to switch providers based on which ones meet their communication preferences, it makes sense that platforms need to offer texting alongside email and phone.
And we’re not talking about regular texting. We’re talking about healthcare texting. Which has unique areas of both challenge and opportunity for healthcare tech and communication platforms.
Concerns about patient privacy have often been a barrier to implementing messaging in healthcare. However, with the proper safeguards in place, messaging can be compliant with regulations like HIPAA. It is essential for platforms in the healthcare space to prioritize patient privacy while leveraging the benefits of secure messaging for improved patient communication.
The challenges of SMS in healthcare are worth overcoming, not only for provider profitability, but for public health as well. Studies have shown that messaging can significantly improve health outcomes for patients. For instance, cardiovascular patients were 70% more likely to refill their prescriptions when reminded via text messages. This simple yet effective method of communication can enhance patient engagement and adherence to treatment plans.
This report breaks down five best practice categories for healthcare SMS:
We will also touch on fraud mitigation best practices to provide a framework to lessen the risk associated with telecommunications fraud.
It’s time to choose a number type. For the sake of simplicity, this report focuses on number types used in the US and Canada.
The OG of text channels, Short codes, are available in the US and Canada and allow for MMS video messages as well as basic SMS messages. Because short codes offer the most reliability, they are the only recommended channel for urgent or crisis alerts.
PROS
CONS
Toll-Free texting gives you the same MMS and SMS capabilities that short codes do, but you can also use voice-enabled numbers. That’s great for customer service use cases because you can text your opted-in users and then they can just call back to complete their issue resolution.
PROS
CONS
*As of Jan 31st, 2024, the industry’s toll-free aggregator no longer allows any sending on non-verified toll-free numbers.
Regular long codes are meant for person-to-person (P2P) communication, or conversational SMS. As such they don’t perform well in high-volume application-to-person (A2P) use cases where businesses are sending high volumes of messages to customers and users. The newest addition to the messaging landscape, 10DLC, solves for this with a sanctioned A2P channel for long code in the U.S. As with Toll-free numbers, you can use MMS, SMS, and voice-enabled numbers.
Note: 10DLC is not a sanctioned A2P channel in Canada, which means the throughput is low and there are no registration requirements… yet. We will keep you updated as that situation develops.
PROS
CONS
Assess your use cases and determine whether you (or the customers you’re serving) are sending notifications, or if they’re opening up conversations. Then compare number types to find the best match for your customers’ use cases.
Feature | Short Codes | Toll-free | Alphanumeric SMS |
---|---|---|---|
Geographic availability | Globally with country-specific codes | US/CAN | 180+ Countries not including U.S. |
Voice-Capable | No | Yes | No |
SMS 2-Way | Yes | Yes | No |
Multimedia Capable | Yes | Yes | No |
Expected Time to Market | 8 Weeks | 3-4 Weeks | Varies |
Expense | $$$ | $$ | $$ |
Feature | 10DLC | Global 2-Way SMS | RCS | Over-the-top (Ex: WhatsApp) |
---|---|---|---|---|
Geographic availability | US (CAN as P2P) | Globally | Globally on wifi or cellular data | Globally on wifi or cellular data |
Voice-Capable | Yes | Yes | Yes | No |
SMS 2-Way | Yes | Yes | Yes | Yes |
Multimedia Capable | Yes | No | Yes | Yes |
Expected Time to Market | 1 Week | Varies | Varies | As soon as same-day |
Expense | $ | $$$ | $$ | $$ |
Historically there have been nerves about using SMS in healthcare because of sensitivity around protected health information (PHI) under HIPAA. Now, consumer demand has made it clear that people want the option to text their provider and 57% of patients are comfortable with even PHI like insurance information and test results traveling over SMS channels.
Covered entities under HIPAA are especially attuned to the importance of privacy and security. To leverage the accessibility of messaging while avoiding sending PHI over SMS, covered entities may choose to use SMS to direct patients to a secure patient portal to view PHI and communications from their healthcare provider. SMS can also allow two-factor authentication (2FA) to verify portal access and prevent unauthorized access to data and accounts.
While not all providers are covered entities subject to HIPAA, there’s no doubt that SMS texting still comes with specific parameters around the handling of PHI or other patient data, and patients should always opt in to messaging from their provider.
For some providers, patient choice— and consent— can be a path forward to sending updates and sharing information by SMS. More and more platforms are embracing transparency and optionality with their patients in order to create compliant and accessible communication channels under messaging regulations and under HIPAA.
There are many paths forward, so choosing a messaging provider who understands business texting in healthcare is essential. Platforms serving hospital networks, pharmacies, and other covered entities must align themselves with service providers that have the knowledge and expertise to provide them with the options for their HIPAA compliance strategy, should they determine it’s needed. Typically this includes a Business Associate Agreement, which is a specialized contract between entities to make sure PHI remains protected when it’s handled by your provider. (Bandwidth is well-versed in BAA arrangements and powers many platforms in the healthcare space.)
If your customers are covered entities subject to HIPAA, ensure you work with your legal counsel and customers to understand what patients agree to, whether your use cases include PHI, and that you’re using a messaging provider that provides a business associate agreement (BAA) for eligible use cases.
All messaging traffic must be registered to ensure it’s delivered to patients smoothly. Unregistered traffic is at a high risk of being blocked at the carrier or provider level, which could result in carrier fees or fines being imposed.
Short code campaign brief review and approval takes the longest time – often around 8 weeks – because it requires individual approval and testing by carriers. However, once complete, it provides the most mature channel for high volume business messaging.
Verification is required through the industry’s aggregator, and typically takes 3-4 weeks. It used to be that you could send toll-free traffic (at a lower throughput than verified numbers) once you submitted for verification, while your number(s) had “pending” status. As of January 31st, 2024, this is no longer the case. You must have completed verification before you can start sending on toll-free numbers. Note that Bandwidth offers an API to make the process more efficient.
10DLC registrations are generally the fastest number type to get up and running, but they still require A2P campaign registration through The Campaign Registry. Historically, businesses have sometimes been able to get unregistered traffic delivered, but that reality is quickly disappearing as registration becomes critical for the delivery for all business messages, and messaging providers shift to blocking unregistered traffic.
When you’re choosing a messaging provider, it’s important to ask how they’ll support your migration and onboarding progress, as standards of guidance vary widely in the industry. (Bandwidth is committed to providing free onboarding support, along with ongoing support packages that are designed to give you help whenever you need it most.)
Once your campaigns are properly registered, it’s important to make sure you don’t stray from their original use cases. That’s known as campaign drift, and it’s one of the reasons you can run into message blocking. So don’t let your customers switch from sending surgery appointment reminders, to advertising cosmetic botox treatments on the same campaign!
Message recipients must opt into a specific service from an explicitly identified sender. This opt-in, or consent, can’t be shared, sold/bought, or transferred to additional services or senders. Consent is granted by one recipient for one service. Carriers expect 1:1 consent records for all message types and those records can be easily pulled in the case of a blocking event.
Only the recipient has the authority to grant permission to senders. Inexplicit consent doesn’t grant the consent collector the authority to extend consent on the recipient’s behalf.
Note: Messaging phone numbers obtained from a shared, sold/bought, rented, or transferred consent list are not compliant. Senders using indirect consent lists have a very high likelihood of receiving a consent audit from our verification partner and/or carrier(s).
Opportunities for gaining consent:
Best practices for producing evidence of consent:
When a recipient grants a sender consent to message them on a recurring basis, a confirmation message must follow the opt-in. This message must include the following elements:
The sender of a messaging campaign must be clearly identified in the following places:
Example: “Hi [NAME], this is [DOCTOR/MEDICAL CENTER] reminding you about your appointment on [DATE/TIME]. To reschedule, reply R; to cancel, reply C. “
Engagement exhaustion is being reported as the top reason for end-user complaints. Carriers have implemented a requirement to disclose to the end user how often they will be contacted. One reason for this was engagement exhaustion due to receiving too many messages in a short amount of time. Consider how many messages a recipient would like to receive from a candidate and/or cause in a single day. For most people, one a day is enough – and for some, even that may be too much.
Example: “By selecting this checkbox you are agreeing to receive appointment reminders from [OFFICE/DOCTOR]”
Engagement exhaustion can also drive recipients to complain to carriers or report messages as SPAM to get them to stop, so it’s critical to provide the opt-out language conspicuously and frequently. Since recipients have the option to opt out of messages even if they have originally opted in to receive them, message senders must use the following guidelines:
Unwanted Messages (or Unwanted Messaging) include but are not limited to:
We recommend customers follow best practices for Toll-Free (A2P) messaging and the CTIA messaging principles and best practices, as well as check out the CTIA Short Code Monitoring Handbook. Though this handbook is about text messaging short codes, the same basic principles and rules apply. We also recommend customers follow these additional industry-sanctioned Short Code guidelines.
Here are the best practices that customers can follow to prevent the flow of Text Messaging SPAM on their messaging campaigns.. This type of SPAM traffic runs the risk of being BLOCKED by either Bandwidth or by a downstream provider:
Text messages with content that’s directly or remotely related to these categories will most likely be blocked as SPAM by either Bandwidth and/or one or more Tier 1 Mobile Network/Handset operators in the U.S.
The single most important practice is ensuring you have accurate, reliable opt-ins specific to the type of messages you’re sending consumers. Generally, opt-out rates are consistently low when you have obtained reliable and clear consumer opt-in consent. At any time, Bandwidth or other wireless carriers may request evidence of documented opt-in consent for a particular message sent from you (or your customers).
These same “free-public” URL shorteners are used by bad actors to evade detection and get their SPAM messages passed through text messaging platforms. Bandwidth encourages you to build custom URL shorteners that relate to your company or product name. They’re still free. If a custom URL shortener is found to be used for fraudulent purposes, Bandwidth can and will block messages containing them.
Bandwidth and partnering “downstream” carriers will block text messages that contain these publicly available URL shorteners:
Consumer opt-in and opt-out functionality is enforced at the network level via the STOP and UNSTOP keywords (this is available on toll-free only). This functionality can’t be disabled for service providers or message senders.
Message senders have obligations to process the opted-out consumer phone number, so it’s removed from all distribution lists and logged as “opted out” from SMS communications. This ensures that the withdrawal of consumer consent is honored and future messages aren’t attempted. As you track opt-out responses, it is best practice to keep a log of how many STOP responses you receive and monitor for increasing percentages of opt-out responses. Should a high number of end users begin opting out of your campaigns, carriers can note this behavior, draw the conclusion that your campaign is sending unwanted content, and begin blocking your content.
Examples of valid opt-out messages:
Using a single number for both text and voice calls is not only a best practice but also a better overall user experience, since patients can call and text the same number.
More importantly, you should avoid spreading messages across many source phone numbers, specifically to dilute reputation metrics and evade filters. This is referred to as “snowshoeing” and can result in your content being blocked. If your messaging use case requires the use of multiple numbers to distribute “similar” or “like” content, please discuss it with your Bandwidth rep (or other carrier rep).
Application, service, or business name should be included in the content of the body of your message(s).
Example:
“[Your Business Name]: You have an appointment for Tuesday, 3:00PM. Reply YES to confirm, NO to reschedule. Reply STOP to unsubscribe.”
Each campaign should be associated with a single, specific web domain owned by the customer. Although a full domain is preferred, a custom URL shortener may be used to deliver custom links.
Unfortunately, bad actors can also leverage these technological capabilities to commit crimes by defrauding, impersonating, and extorting innocent victims. The text messaging industry generally operates in a more lightly regulated environment than voice calling does, so text messaging service providers must be that much more vigilant on fraud prevention and mitigation best practices.
Types of common SMS fraud include:
SMS Phishing (Smishing), SMS Originator Spoofing, and Access Hacking
SIM Swap Fraud, SMS Roaming Intercept Fraud, SMS Malware (SMS Hacking)
MAP Global Title Faking, SCCP Global Title Faking, SMSC Compromise Fraud
Artificial Inflation of Traffic (AIT), Message Trashing, Spam, and other network or system manipulation
Bandwidth reserves the right to protect itself and its networks by stopping fraudulent traffic from traversing its networks. Under our Acceptable Use Policy, Bandwidth’s customers who send traffic that the telecommunications industry, government authorities, and Bandwidth consider being fraudulent, are at risk of having their traffic blocked – either by Bandwidth or any downstream service provider.
“Messaging enables us to have the highest engagement rate you could have with patients.”
Nimblr increases access to healthcare with Holly, an AI assistant which helps schedule appointments, initiate follow-ups, and manage payments online anytime 24/7. In fact, 30% of Holly’s conversations with patients take place outside of business hours. A necessary option for patients whose work schedules don’t allow mid-day calls.
Learn moreRectangle Health leverages SMS to help healthcare providers reach profitability. One practice that uses the Rectangle Health platform went from $8 million of accounts receivable to $3 million after giving patients the ability to pay via text. “What we find is that it’s not that patients don’t want to pay, but you need to make it easier to pay,” Howland says.
Learn moreSolutionreach gained insights that paved the way for improvements. Because you can’t manage what you can’t even measure. And before coming to Bandwidth, Solutionreach didn’t even have a clear picture of their delivery rates. Once they switched to Bandwidth, they were able to improve those rates to 95% across carriers.
Learn moreThe information provided is not intended to be used as legal advice or as a substitute for consulting your own legal counsel. Considerations may vary depending on the nature of your business. We encourage those sending messages to consult their legal counsel.
Get full access to your SMS best practices guide
Reach out to our experts to talk about how your platform can benefit from our best-in-class support, BAA-capability, and new Monitoring and Alerts.