Sending HIPAA compliant text messages matters because text messaging isn’t a secure messaging technology.

Telecommunications carriers store all text messages, texts aren't encrypted and most phones don’t have strong password protection.

In the life of a text message, it goes through various carriers and gets stored on their servers. When a message is “at rest” the data is being stored locally on the recipient’s phone. This makes the content of a message vulnerable at every storage point.

Additionally, mobile devices can also get lost or stolen. This exposes PHI to identify theft.

HIPAA violations are also a serious affair. The penalties for HIPAA violations can range from $100 to $50,000 per day depending on the severity of the violation.

HIPAA stands for the Health Insurance Portability and Accountability Act (1996).

HIPAA is an act designed to keep protected health information (PHI) and patient privacy safe.

For any messaging technology to be HIPAA compliant, all messages related to protected health information (PHI) need to be encrypted. Texts also have to be stored securely while in transit, not just while sending and receiving.

PHI constitutes all individually identifiable health information. Any identifiers or information like first name, last name, birthday, or address are all considered PHI.

1. Telecom carriers store all text messages as data in a server

2. Text messages (as a technology) aren’t natively encrypted

3. Password protection on normal phones and text messaging apps isn’t secure enough

Getting consent is a general text messaging best practice and just normal texting etiquette. It’s also a texting requirement that all healthcare organizations are subject to under the Telephone Consumer Protection Act (TCPA).

To establish consent, you need to know the difference between transactional and promotional text messages for patient communication.

Transactional messages establish implied consent. These texts help facilitate, complete, or confirm a previously agreed-upon business type transaction or relationship.

Has your patient already scheduled an appointment with your office? If yes, then their consent is implied because of your already established transactional relationship. This makes it ok to text appointment reminders.

Promotional messages require express consent. These are all the other texts that don’t directly involve an already existing business type transaction or relationship.

Has your patient given you their express consent (written or verbally) to receive texts? If not, then you don’t have permission to send them promotional texts or share any medical information.

All patients need a way to opt-in and out of text messaging from your office. This is part of the TCPA guidelines and best practices.

Many business text messaging platforms like MessageDesk have built-in opt-in and opt-out management systems. You get an easy and user-friendly way to see who has and hasn’t opted into messaging.

If your office texts a patient for the first time, MessageDesk will automatically send an opt-out message. This message tells the patient how to opt-out of text messages by responding, STOP.

If a patient opts-out and texts STOP, a guard is placed on their number. This prevents you and your office from texting the patient until they opt back into messaging.

Appointment Reminder Text Message Template:

Checked in Text Message Template:

No Show or Missed Appointment Text:

Office Updates and Availability Text Message Template:

COVID 19 Guidelines Text Message Template: