7 Rules to HIPAA Compliant Text Messages

Using SMS texting to communicate with patients and other healthcare providers is fast, easy and convenient. But first, you must ensure that you’re in compliance with HIPAA (Health Insurance Portability and Accountability Act) laws. This article will review the seven rules of HIPAA-compliant text messages.

Rule #1: Get Permission

Before sending text messages to your patients, you have to get their permission first. Express written consent requires that you need some form of documentation, like a text message reply or an online form submission, to show that the recipient agreed to receive text messages.

Rule #2: Control Access

When it comes to sending HIPAA-compliant text messages, healthcare organizations must also warn their patients about the risks of unauthorized disclosure of Protected Health Information (PHI). This is when someone other than the patient or their healthcare provider accesses sensitive patient information. To comply with HIPAA, you must warn your patients in writing about this risk.

Healthcare providers must also implement controls to limit access to PHI and what authorized users can do with PHI when they access it.

The HIPAA Security Rule requires these access control precautions:

• Unique user IDs: Authorized users must each have a unique identification, such as an ID number or username while accessing a system with PHI. This includes SMS text messaging platforms which require a unique ID to access, send and receive HIPAA-compliant text messages.
• Emergency access procedures: Healthcare providers should consider what kind of emergencies might require urgent access to PHI and who should have access in these situations.
• Automatic logoff: Any platform that works with PHI must automatically log off users after a specified time of inactivity. This ensures no unauthorized individuals can access PHI on someone else’s device if it’s left unattended.
• Encrypted messages: Secure text messaging must be encrypted to prevent unauthorized access to PHI, particularly if a device has been lost or stolen.

Rule #3: Only Send Secure Messages

As mentioned above, you must ensure that HIPAA-compliant text messages are encrypted on all devices for both senders and recipients. Text messages are typically not secure while in transit because cellular carriers or other third parties can access them.

You should encrypt all messages to protect PHI, particularly if using personal devices to communicate or access sensitive patient data. We recommend using TLS/SSL encryption across all server nodes or a similar encryption method.

Rule #4: Use Multi-Factor Authentication (MFA)

To send text messages that contain PHI, you should implement multi-factor authentication (MFA). MFA requires that users prove their identity by logging in with something unique to them. This typically involves a traditional username and password combined with another layer of security. These include one-time passcodes sent to your mobile device or a biometric identifier such as your fingerprint, face or voice.

Rule #5: Limit Information Sent Via Text

Although text messaging is a quick and convenient way to get in touch with patients, you must take the proper precautions to protect your patients’ privacy. By limiting what kind of information you send in your text messages, you can reduce the risk of PHI falling into unauthorized hands.

We recommend using SMS texting to send information about:

• Appointments and appointment reminders
• Registration instructions
• Pre- and post-operative instructions
• Test result notifications
• Prescription notifications
• Home healthcare information and instructions

Texting patients a link to log into an online patient portal is preferable to sharing private information directly.

Rule #6: Keep Accurate Records of All Messages

You are only compliant when you successfully pass a HIPAA audit. Therefore, you should always be ready to provide evidence of the systems that record all PHI-sharing activities in case of an audit.

To prove compliance, HIPAA-compliant text message platforms will automatically document how administrators manage authorized users and security policies, along with authentication events and message read receipts. In addition, using a secure SMS marketing platform allows you to rest easy knowing that your text messages are appropriately recorded for future audits.

Rule #7: Erase Data in Case of Theft

Mobile devices offer a convenient way to access all kinds of information, including PHI. However, smartphones and other mobile devices can also be easily lost or stolen, which can put your HIPAA compliance at risk. To eliminate the possibility of unauthorized access, you should ensure that you can remotely delete PHI from a stolen or lost device.

Start Sending HIPAA-Compliant Text Messages With Textedly Today

Many hospitals, medical professionals and healthcare organizations have started using SMS text messaging solutions to improve care and patient communications. If you’re ready to try using SMS for healthcare, Textedly can help.

Textedly’s user-friendly platform offers powerful features from scheduled text messages to emergency alerts, ensuring that your patients have the healthcare information they need. 

In addition, our secure platform protects sensitive patient information so you can rest easy knowing you’re only sending HIPAA-compliant text messages.

Get started with a free 14-day trial of Textedly today.