Fifty-three phone calls per day — that’s the average for most healthcare providers. These calls typically take a minimum of two minutes, meaning practice staff spend nearly one-quarter of their workday on the phone with patients.
Text messages, however, are sent immediately and enable providers to effectively communicate with patients through a method they prefer. Two-way text messaging not only saves provider staff time by reducing the number of phone calls but also decreases no-shows and cancellations.
Just how effective is text messaging? Open rates for text messages average 97 percent compared to only 20 percent for email. And, SMS response rates are an astounding 295 percent higher than responses from phone calls.
More than half of consumers check their text messages 11 times a day or more and read them within 15 minutes of receiving them. Nearly 80 percent of patients want to receive text messages from their provider, and a majority prefer them over email, phone calls or patient portal messages.
Even a majority of providers seem to prefer text messaging over other communication methods. It’s estimated that 60-80 percent of clinical staff exchange text messages related to patient care.
Complying with HIPAA Rules and Regulations
Text messaging in healthcare is popular for numerous reasons. It offers providers and their teams a quick, affordable and scalable method to improve appointment attendance, fill scheduling gaps, remind patients of preventive screenings or payment responsibility and increase medical compliance – all without overwhelming staff.
Patients like the convenience of being able to respond to messages when and where they prefer. Research shows that text reminders can reduce missed appointments and help increase daily medication adherence in patients with chronic conditions.
To achieve all these advantages, healthcare providers must confirm that they satisfy the requirements for sending electronic protected health information (ePHI). The HIPAA Security Rule requires healthcare providers to implement safeguards to ensure the confidentiality, integrity and availability of ePHI so that it’s not accessed by unauthorized individuals. It also provides best practices to prevent identity theft and data breaches.
One of the ways providers and other healthcare organizations can enforce HIPAA compliance through texting is by verifying that all employees, affiliates, physicians and third-party contractors and vendors know and apply the rule’s guidelines for establishing technical safeguards for protecting PHI. We’ve compiled a list of five text messaging HIPAA rules to help you understand how to securely manage health information while reaping the benefits of a secure messaging solution.
1. Establish procedures and policies to manage who is authorized to access PHI when texting.
HIPAA requires that healthcare organizations and business associates safely manage who has the privilege and/or right to access, change or distribute sensitive health data. Therefore, access to PHI should be limited to only the amount of information necessary to perform a job.
It is up to each covered entity to determine which access controls, software and systems they use to manage authorized access to PHI related to text messaging software. However, the HIPAA Security Rule requires the following safeguards to ensure HIPAA compliance:
Unique User IDs
PHI must be accessed by someone with a trackable unique user identification name or number, which allows covered entities to hold authorized users accountable for their activity while logged into a system containing PHI. Secure text messaging programs require authorized users to use a unique ID to access, send, and receive any HIPAA-compliant text.
Emergency Access Procedures
In an emergency, covered entities must have operational workflows to access PHI. These workflows should consider what kind of emergencies might require urgent access and who should be granted rights to access PHI in such scenarios.
Any software containing or integrated with PHI — including a secure text messaging platform — must automatically log users off after a predetermined time of inactivity. This ensures no unauthorized access to PHI via text messages on someone else’s device.
Secure text messaging must be encrypted to prevent unauthorized access to PHI (or text messages). This makes it unreadable by anyone without permission to access it, especially if a device is stolen or lost. When securely texting PHI to another user in the same organization from a mobile device or organizational computer, both the sender and receiver must meet the encryption requirements in transit and at rest for a message containing PHI.
2. Implement audit and reporting controls for HIPAA-compliant texting.
The HIPAA Security Rule requires that covered entities and their business associates implement comprehensive audit controls and reporting procedures to document and review activity related to using PHI. It applies to any secure text messaging platform that sends messages, stores or manages PHI on organizational or personal computers, including mobile devices. It is up to the covered entity to determine what audit controls are reasonable and appropriate to protect patient data while messaging.
3. Ensure PHI is not improperly changed or destroyed during texting.
Maintaining the integrity of sensitive health information is essential, which is why HIPAA states that PHI must not be “altered or destroyed in an unauthorized manner.” If patient information is accidentally or intentionally changed by human error or an information system failure, the integrity of the data is compromised. For secure, HIPAA-compliant texting, technical safeguards must be in place to verify that data integrity is not at risk of being compromised.
4. Provide proof of identity before sending and receiving messages.
All users who access PHI must authenticate their identity. A secure text messaging program can comply with this rule by requiring users to log in with something unique to them. A user is authenticated when the unique credentials match what is stored in the system. Methods of authentication in compliance with HIPAA may include:
- Password or pin
- Smart card, key, or token
- Biometric identifiers, such as a fingerprint, facial recognition, or voice pattern
Healthcare professionals who send and receive HIPAA-compliant text messages from their mobile devices must use some credentials to authenticate their identity.
5. Guard against unauthorized access to PHI during transmission.
For compliance with HIPAA rules and secure messaging, it’s essential to establish privacy and security measures that prevent unauthorized access to PHI from any mobile device. Covered entities must meet the following two specifications:
Protect the Integrity of PHI During Transmission
Similar to the HIPAA Security Rule, covered entities must verify that “the data sent is the same as the data received.” This can be achieved by establishing network communication protocols.
Encrypt PHI During Transmission
Like HIPAA recommendations, covered entities should ensure PHI is encrypted when sent over the internet. Because secure texting relies on an internet connection to send and receive messages, HIPAA requires entities to use encryption and other reasonable safeguards to ensure data is encoded or unreadable to unauthorized users. It is up to each entity to determine how they use encryption by assessing the level of risk involved.
When communicating patient information via secure texting on personal mobile devices, following HIPAA guidelines is imperative to prevent costly security breaches. By complying with HIPAA rules, healthcare providers can ensure the safety and security of their practice while offering patients the convenience of seamless communication with their providers.