*** DISCLAIMER: Please note that our advice is for informational purposes only. It’s not meant to substitute for advice from qualified legal counsel. ***

Sending HIPAA compliant text messages matters because text messaging isn’t a secure messaging technology.

Telecommunications carriers store all text messages, texts aren't encrypted and most phones don’t have strong password protection.

In the life of a text message, it goes through various carriers and gets stored on their servers. When a message is “at rest” the data is being stored locally on the recipient’s phone. This makes the content of a message vulnerable at every storage point.

Additionally, mobile devices can also get lost or stolen. This exposes PHI to identify theft.

HIPAA violations are also a serious affair. The penalties for HIPAA violations can range from $100 to $50,000 per day depending on the severity of the violation.

Table of Contents:

  1. What is HIPAA & Personal Health Information?

  2. Why aren't text messages HIPAA compliant?

  3. How to send HIPAA compliant text messages

  4. HIPAA compliant templates

What is HIPAA & Personal Health Information?

HIPAA stands for the Health Insurance Portability and Accountability Act (1996).

HIPAA is an act designed to keep protected health information (PHI) and patient privacy safe.

For any messaging technology to be HIPAA compliant, all messages related to protected health information (PHI) need to be encrypted. Texts also have to be stored securely while in transit, not just while sending and receiving.

PHI constitutes all individually identifiable health information. Any identifiers or information like first name, last name, birthday, or address are all considered PHI.

Why aren't text messages HIPAA compliant?

1. Telecom carriers store all text messages as data in a server

2. Text messages (as a technology) aren’t natively encrypted

3. Password protection on normal phones and text messaging apps isn’t secure enough

How to send HIPAA compliant text messages

Transactional vs. Promotional Messages

Getting consent is a general text messaging best practice and just normal texting etiquette. It’s also a texting requirement that all healthcare organizations are subject to under the Telephone Consumer Protection Act (TCPA).

To establish consent, you need to know the difference between transactional and promotional text messages for patient communication.

Transactional messages establish implied consent. These texts help facilitate, complete, or confirm a previously agreed-upon business type transaction or relationship.

Has your patient already scheduled an appointment with your office? If yes, then their consent is implied because of your already established transactional relationship. This makes it ok to text appointment reminders.

Promotional messages require express consent. These are all the other texts that don’t directly involve an already existing business type transaction or relationship.

Has your patient given you their express consent (written or verbally) to receive texts? If not, then you don’t have permission to send them promotional texts or share any medical information.

Transactional Text Messages
(implied consent)

Promotional Text Messages
(express consent - written or verbal)

Appointment reminders

Schedule next appointment

Checkup reminders

Advertising new services or products

No-show / missed appointment reminders

Health care tips

Check in and room ready reminders

Patient satisfaction surveys and polls

Opt-in & Opt-out management

All patients need a way to opt-in and out of text messaging from your office. This is part of the TCPA guidelines and best practices.

Many business text messaging platforms like MessageDesk have built-in opt-in and opt-out management systems. You get an easy and user-friendly way to see who has and hasn’t opted into messaging.

If your office texts a patient for the first time, MessageDesk will automatically send an opt-out message. This message tells the patient how to opt-out of text messages by responding, STOP.

If a patient opts-out and texts STOP, a guard is placed on their number. This prevents you and your office from texting the patient until they opt back into messaging.

HIPAA compliant templates

Appointment Reminder Text Message Template:

You have an appointment with {{ OrganizationName }} on {{ Date }}. Reply “yes” to confirm or “no” to cancel. Feel free to respond to this text with questions. When you arrive, you may come in or reply to this text to check-in. Please call {{ OrganizationPhone }} if you do not receive a response.

Checked in Text Message Template:

Thank you! We have you Checked In. We will let you know as soon as your room is ready. 

No Show or Missed Appointment Text:

We missed you today! This is {{ OrganizationName }} notifying you that you missed your appointment with us on [ date ] at [ time ]. Please call us at {{ OrganizationPhone }}  to reschedule.

Office Updates and Availability Text Message Template:

Please be advised that parking for {{ OrganizationName }} is currently limited due to roadwork. Please plan ahead accordingly. We apologize for any inconvenience.

COVID 19 Guidelines Text Message Template:

Please review our COVID-19 Guidelines BEFORE your appointment. [ link ]

*** DISCLAIMER: Please note that our advice is for informational purposes only. It’s not meant to substitute for advice from qualified legal counsel. ***

Did this answer your question?