Is your SMS messaging HIPAA-compliant in the US

Advanced SMS guides 3 min read Mar 2021 |   Author: Team MessageMedia

As studies prove that text messaging is an effective and efficient tool for communication strategies, many healthcare organisations, hospitals and systems are beginning to follow suit. There are numerous ways it can help grow your practice, uplift attendance rates and improve patient outcomes.

If you are sending healthcare text messaging in the US, additional conditions must be considered. While businesses are most concerned about meeting FCC regulations, healthcare systems sending to US citizens or mobile numbers should also be aware of HIPAA regulations. If you are using SMS, you must confirm that your messaging is HIPAA-compliant.

The United States’ Health Insurance Portability and Accountability Act (HIPAA) states that a patient’s protected health information (PHI) must stay protected by healthcare providers and covered entities who utilise electronic communications such as SMS.

If HIPAA compliance is not followed, your business or practice could face substantial penalties. According to the HIPAA journal, a single breach could cost up to $50,000 USD.

As a secure messaging platform, we are well versed in precautions healthcare industries should take.  

Is SMS texting HIPAA compliant

Because patient information, including personal identifiers, requires additional protection and security measures to ensure privacy, SMS is not always HIPAA-compliant. According to the HIPAA security rule, encryption is a crucial requirement for the transit of electronic communications between patients and providers. 

MessageMedia’s SMS messaging service meets HIPAA requirements and has all the security measures and protocols required to ensure your messages are encrypted in transit and at rest. It is, however, up to healthcare providers and practices to ensure their messaging content complies with HIPAA rules.

Top tip: encryption means data gets concealed by converting it into a code

Not all secure messaging platforms and providers will meet HIPAA requirements. SMS technology did not initially get built for messages to get sent with encryption. This means that other users may gain unauthorised access to sensitive information, such as PHI, through illegal or accidental means. 

Ensure you do your due diligence when choosing a provider to work with.

Best practice tips to send secure HIPAA SMS

In 2013, HIPAA enacted a final omnibus ruling stating that as long as healthcare providers adhered to three specific conditions, they could send PHI over unencrypted emails. In 2018, the Director of the HIPAA enforcement agency Roger Severino came out to say he believes the same rules should apply to text messaging and other forms of communication.

To send and receive PHI communications to patients over unencrypted channels, the provider must:

1. Inform the patient of the encryption risk
2. Gain authorisation that the patient is willing to accept the risk
3. Document the patient’s consent

Additionally, we also recommend healthcare providers:

• Acquire and document consent for all communications
• Check and maintain correct phone records by requiring 2FA (2-factor authentication) when first onboarding
•  Send SMS reminders to patients to update their contact details regularly
• Always include the option for patients to opt-out of receiving SMS
• Make communications single purpose (i.e. do not combine appointment reminders and marketing in the same message)
• Educate and train all healthcare staff on the proper use and misuse of SMS messaging (as well as what constitutes a HIPAA violation)

Keep in mind, if healthcare communications do not contain PHI, HIPAA rules do not apply.

NOTE: This article is not legal advice. MessageMedia will not be responsible for any reliance or action you take due to this article’s content.

Examples of HIPAA-compliant text messages

Despite the stringent rules around sending secure text messaging in healthcare, there are many ways you can still comply with HIPAA regulations. If you send a message that pertains directly to a patient’s health but does not contain PHI, it is exempt from requiring a patient’s consent.

Here are a few samples of secure healthcare text messages.

1. Appointment confirmations

TEMPLATE: Hi #NAME#, your appointment on #DATE# with #DOCTOR# is now confirmed. If you need to reschedule, please reply Y or text STOP to opt-out.

2. Prescription reminders

TEMPLATE: Hi #NAME#, this is a reminder that you will need to refill your #MEDICATION# prescription soon. You have 2 scripts left. Txt STOP to opt-out.

3. Patient follow-ups

TEMPLATE: Hi #NAME#, this is Jan from #DOCTOR# office. How are the new medications going? If you are experiencing headaches, please stop taking them immediately. Txt STOP to opt-out.

4. Staff communications

TEMPLATE: Hi #NAME#, we need someone to cover a shift tomorrow from 9 AM till 2 PM. Would you be available? Text back Y or STOP to opt-out.

Other advantages of texting in the healthcare industry 

Sending healthcare communications can be very beneficial to your practice. One of our customers cut their staff agency costs by 20% by using SMS to fill vacant shifts.

Consider all the different ways you can use SMS to engage with and create better relationships with your patients. Make sure to check out:

• Grab more ready-to-use SMS templates for healthcare
• 6 ways text messaging in healthcare can improve patient outcomes
• How to reduce no-shows with patient text reminders
• Learn how SMS improves efficiencies in medical centres