5 HIPAA Mistakes every Practice should Avoid when Texting Patients

Effective and regular communication between patient and provider entities is crucial to maintain a smooth practice workflow and to make sure patient enquiries and needs are taken care of at all times. It is, therefore, required of the providers to adopt effective digital communication strategies that are commensurate to the everchanging needs and preferences of patients. Texting, among many other useful communication tools, transcends the need for patients and physicians to be physically and painstakingly tending to matters such as administering transactions, scheduling appointments, patient conversations and gaining feedback, etc.; these activities can be effected remotely with just a few keystrokes. However, this panacea can sometimes prove to be dodgy, particularly in face of HIPAA regulations. Disregarding these set rules, unintentionally or otherwise, can draw hefty fines and penalties.

Here are some mistakes that practitioners need to elude while texting patients:

Using unsecure texting platforms:

While it can be tempting to simply text patients via personal smartphones, providers need to be mindful of the fact that they might be discussing confidential information. The texting system being used needs to have a substantial level of encryption in order to protect the sensitive data. To maintain the security of the data being exchanged, providers must make sure that their preferred texting solution is sufficiently encrypted; at every level from physician to patient, and is HIPAA compliant. It is also important to ensure that the system developed is able to track status of messages and communicated information, identify sender and receiver, and integrate the generated patterns of information safely into your current practice management solution.

Texting patients without opt-in

One of the most crucial aspects of a successful patient texting system is patient consent. Texting patients without their expressed consent can be a HIPAA violation, and may also see your practice on the wrong side of various other regulators. Receiving patient consent is not very daunting after all.  It can be accomplished by encouraging patients to be the ones making first contact by including your phone number on your website along with a simple message like “text us at [number]”. Should that sound too difficult, you can simply ask patients to opt-in when they come to the practice.

Moreover, to avoid any potential HIPAA violations, include a disclaimer, on the sign-up form of your website, that providing any contact information gives the practice the right to use the given channels of communication. Finally, also include a method of opting-out, should patients no longer wish to communicate over text.

Sharing PHI

Once consent is acquired for texting, the next step is to acquire consent for sharing personal health information (PHI). Not all patients will sign up for text message communications in order to have medical conversations. Some will simply want it for scheduling and reminders, so it is important to get consent before sharing any PHI. This is a handy way of knowing which patients would be looking for these types of conversations over text, and will also protect the practice from any legal trouble    that could arise from an unapproved sharing of PHI.

Wrong employees having access

Outside interference isn’t the only thing to worry about when sharing PHI. Wrong employees somehow gaining access to the devices used for communication can be just as disastrous, leading to problems like insurance fraud or identity theft. Even the most secure system won’t be of any use if you simply leave the device lying around where anyone can use it. Managing authorization logs that only allow the right people have access is a crucial component of a secure text messaging system.

Failure to implement access controls, to determine who can view what fraction of a certain PHI, can be avoided by assigning different phone numbers and dashboards to each authorized employee to handle patient communication with discretion.

Sending messages to unauthorized individuals: This is bit of a silly one, and one arguably we’ve all been guilty of, practitioners or not, at some point in our lives. However, the universality of this act does not make it less culpable. Mis-mailing can result in unauthorized release of PHI to individuals not authorized to receive or view the information.

As disastrous as it can be, this problem is easily preventable. Front desk staff will need to take the lead on this; confirming patient information every time they get in.

Patients want to ask you questions and hold conversations through text, but it's important that they are confirmed via opt-in before sending messages. Texting is a great way to stay in touch with your patients. You can text them for scheduling and reminders, or talk about their care the whole time! It's important that you ask if they're okay with messages from you during treatment. How do you make sure this happens? First, start by adding it as a question on patient paperwork. For example: "Would you like us to text message or email with updates about your care?" As long as patients have opted into receiving texts about care related to PHI, you're good to go. Patients can also easily opt-out of any message they do not want at their fingertips by texting stop followed by checking anytime during the day or night for an immediate response.

E-mail me when people leave their comments –

Summer Larson background in healthcare stretches over 11 years. He is a well-renowned health IT expert and contributes regularly to popular blogs and websites. She covers topics ranging from health reforms to the application of IT in healthcare. In 2013 he formed EMR Specialist, a company specializing in assisting providers with the adoption and implementation of electronic health records (EHR) and working with EHR vendors on usability and certification projects. Summer Larson is also an avid Star Wars fan.

You need to be a member of CISO Platform to add comments!

Join CISO Platform

CISO Platform

A global community of 5K+ Senior IT Security executives and 40K+ subscribers with the vision of meaningful collaboration, knowledge, and intelligence sharing to fight the growing cyber security threats.

Join CISO Community Share Your Knowledge (Post A Blog)