With the proliferation of mobile technologies and a steady shift toward smartphone interactions as a predominant mode of communications for many consumers, you may be considering texting as a more effective and efficient way to communicate among providers and/or with patients. No legislation specifically prohibits you from doing so, not even HIPAA. However, this does not mean that mobile communications with patients is without risks and there are considerations that a covered health provider should address when determining whether to allow texting between your organization and patients (or texting between health providers). In other words, proceed with caution.

In addition to the security risks associated with texting (unauthorized access to ePHI, lost/stolen device, unencrypted texts etc.), there may also be liability from a legal perspective. If protected health information is included in texts between a provider and patient, the messages may be subject to HIPAA in more ways that just security. These texts could become part of the patient’s designated record set and/or the legal health record. As such, the provider may need to save texts for a legally required period of time – allowing the patient to access and amend the text messages. If the provider chooses to delete the texts for security purposes, they may be violating the law with regards to retention requirements.

If after weighing the associated risks, your practice determines that it is interested in communicating to patients via text, we would urge you to implement policies and procedures that establish safeguards and reduce liability exposure.

5 tips to creating effective policies:

  1. Make sure patients sign a consent form allowing for communication between provider and patient via text. This consent form should be maintained in the patient’s medical record.
  2. If texting between provider and patient, only include non-urgent information (i.e. appointment reminders; prescription refills) If there is a patient portal, you could send a text alert that says “You have a message from Center for Youth Wellness. Please log in to your account to see the message” as a safer approach
  3. Don’t include any information that is specific and identifiable such as patient ID numbers, treatment details or condition names.
  4. Ensure the number being utilized is the appropriate patient’s number to send texts to.
  5. If the text is related to patient treatment, the contents of the text should be incorporated into their medical record.
  6. Have a mobile device management plan in place to improve security within your organization, to include, but not limited to:
    • Encryption of mobile devices
    • Password protection
    • Guidelines on whether employees can use their own devices or if texts should only be sent from devices which are company owned
    • Monitoring/audit of all text messages
    • Use of applications that will allow the phone to verify a device prior to sending (similar to credit card companies that allow you to verify your phone prior to data being sent)

In the end, reaching your patients where they are (which is increasingly their cell phone) can be a powerful way to stay connected and positively influence health behaviors. Just know that there are considerable risks to manage, and that you must be diligent in the development of, and adherence to, texting policies to keep your organization in the clear.

Register for one of Clearwater’s complimentary webinars on risk analysis and risk management basics and get to grips with these issues and more.

Michelle Caswell

Senior Director, Legal & Compliance at Clearwater Compliance
Michelle Caswell has over 14 years legal and healthcare experience and worked as a HIPAA Investigator for the U.S. Department of Health and Human Services, Office for Civil Rights where she ensured covered entities were in compliance with HIPAA, conducted complaint investigations and educated entities on HIPAA compliance. Michelle brings that experience to Clearwater Compliance as Senior Director, Legal and Compliance.