If yours is like most practices, you probably have an increasing number of patients who want to communicate with your staff electronically. You want to provide the best patient care, and texting and emailing with patients is a convenient and effective way to enhance your services. But many providers are shying away from patient communications via text messaging due to confusion over HIPAA compliance.
Key: You need to find the right balance between access and control, says HIPAA compliance expert Jim Sheldon-Dean in his Audio Educator training session, “HIPAA & Patient Communication: How to Handle Text, Email, and Access Issues.” You can indeed integrate texting and emailing into your patient communications in a compliant way—and now patients have a legal right under HIPAA to communicate with providers in the manner of their choosing.
Create an ‘Opt-In’ Agreement
Problem: Unfortunately, if you’re looking for clear instructions from the U.S. Department of Health and Human Services (HHS) on exactly how to make texting with patients secure, you won’t find solid answers. On its FAQs webpage, HHS simply states that the HIPAA Privacy Rule “allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so.”
Solutions: But there are certain steps you can take to make text communications more secure, and therefore more HIPAA-compliant:
- Obtain patient consent before contacting them via text message or email. Commonly referred to as an “opt-in agreement,” you should have patients sign a consent form before engaging in electronic communications with them, advised Bridge LLC in a recent tutorial. And make sure you keep patients’ signed agreements and acceptance in their medical records.
Essentials: The Center for Care Innovations recommends that you include the following items in your consent form:
- A statement that the patient agrees to receive text messages;
- An explanation of the service (what the text messages will be for);
- An explanation of the benefits (how the patient may benefit from the text message service);
- The potential risks, including those related to the potential loss of privacy/Protected Health Information (PHI) if the patient loses his phone or someone else accesses his phone;
- A disclaimer of potential cost to the patient if his cell phone carrier charges them per text message;
- How to opt-out or cancel the text message service;
- The option for choosing a language preference, if you’re offering text messaging in multiple languages;
- The patient’s cell phone number; and
- The patient’s name and signature indicating acceptance.
Use Education & Encryption to Safeguard PHI
- Educate your patients. In addition to advising your patients of the privacy and security risks in the opt-in agreement, you should also strive to find other ways to educate patients and encourage them to protect their devices with passwords and enable automatic logoff, Bridge stressed. Consider creating an informational campaign to make patients aware of safety issues.
Also, you should allow alternative communication options upon patient request and make these options clearly visible in the text message body, Bridge recommended.
- Activate data encryption on your devices. You can’t force each and every patient to utilize data encryption on their smartphones, but you can activate data encryption on all your staff’s mobile devices. You should look into and install data encryption software for your practice, advised Kennedy Attorneys & Counselors at Law in a recent tutorial.
How it works: “Data encryption involves converting data into a secret code,” Kennedy Attorneys explained. To open an encrypted file, the user must decrypt it using a secret key or password.
Ensure Your Staff’s Compliance
- Create a text message usage policy. In addition to the patient opt-in agreement, you should also have a detailed text message policy for your staff. Kennedy Attorneys advised that you should make sure your policy includes details on the following:
- Restrictions on who can send or receive texts to/from patients;
- What kinds of information or topics staff may address via text messages;
- The amount of time to respond to text messages;
- Instructions on how to escalate important texts; and
- How staff should transfer data from text messages to the patient’s record.
Bottom line: Using email and text messaging to communicate with patients isn’t off-limits under HIPAA, but you still need to take precautions, Sheldon-Dean stresses. And if you follow the steps above, understand what can go wrong to mitigate the risks, and know how to address a PHI breach, you will be well on your way to communicating with your patients via text while at the same time safeguarding the privacy and security of their PHI.