Enhancing Medical Practice Communication with HIPAA-Compliant SMS Messaging

If you're a physician or manage a medical practice, incorporating SMS messaging into your communication strategy can yield significant benefits. These messages can minimize no-show appointments, improve provider-patient interactions, and enhance care/dosage instructions—all while saving your practice valuable resources.

However, implementing healthcare SMS and text messaging is not a turnkey process. Since these messages could contain protected health information (PHI), they must comply with the stringent requirements of HIPAA. A breach could expose PHI, leading to penalties, fines, and a loss of patient trust.

Let’s explore the benefits of adding SMS to your medical practice communications, how to ensure HIPAA compliance, and key considerations when choosing a HIPAA-eligible SMS provider.

The Benefits of SMS in Healthcare

The most apparent benefit for many healthcare providers is that SMS reminders help patients keep appointments and reduce no-shows. Automating tasks like appointment reminders also frees up time for office staff.

But SMS goes beyond appointment reminders. It's becoming a tool for providing ongoing care. Medical practices use SMS to remind patients to take their medication, conduct digital health surveys, and provide surgery protocols and instructions.

For example, Cipherhealth, an end-to-end patient engagement platform, needed a rapid way to offer healthcare providers a screening and outreach system to better allocate limited resources.

Healthcare providers also use SMS for emergency and crisis communications. This use case has grown during global pandemics and other crises. Additionally, SMS can manage last-minute cancellations by notifying patients on a waitlist, streamlining the rescheduling process with a single-word response.

SMS technology also enables healthcare providers to communicate wait times to patients, setting clear expectations for those seeking walk-in appointments. This is similar to how restaurants notify patrons when their table is ready.

New use cases for healthcare SMS continue to emerge, with the healthcare industry leading in SMS adoption.

Is Text Messaging HIPAA Compliant?

You might be wondering if text messaging is HIPAA compliant. The short answer is no, not inherently. PHI is held to higher security and privacy standards than other types of information, creating challenges for HIPAA and texting.

SMS is not a secure form of communication because messages are delivered unencrypted to and from personal mobile devices. There's no guarantee that messages aren't accessed by unintended recipients once they reach the device. Additionally, telecommunications providers transmitting these messages are not subject to HIPAA regulations.

However, HIPAA rules only apply to communications containing PHI. Messages sent without PHI are not subject to the same scrutiny.

Despite these challenges, SMS can be used compliantly if providers take necessary steps to acquire opt-ins and protect PHI.

Using SMS in a Compliant Manner

HIPAA does not explicitly state that SMS can be used to send ePHI to patients. However, Roger Severino, Director of the US Department of Health and Human Services Office for Civil Rights (OCR), has commented that sending PHI to patients via SMS is acceptable if patients are warned that texting is not secure, they authorize the communication, and their consent is documented.

Although Severino's comments are not official HIPAA policy, they align with the 2013 HIPAA Omnibus Final Rule, which allowed sending ePHI to patients through unencrypted email.

Other best practices include:

• Verifying the phone number: Use a two-factor authentication process to send a code to the patient to verify their identity and mobile device.
• Periodically double-checking: Verify the phone number on file during patient visits.
• Using a HIPAA-eligible SMS provider: Choose providers that offer HIPAA-compliant tools and safeguards.

Learn more about architecting for HIPAA compliance here.

Choosing a HIPAA-Eligible SMS Provider

When selecting a vendor for SMS communication with patients, ensure the provider supports your legal obligations under HIPAA. Consider feature sets that meet your practice's unique needs, such as tiered access and administration controls for PHI. Evaluate the support system for assistance in case of a breach.

Start Communicating with Patients Using SMS

To proceed with Twilio as your message provider, add a BAA to your Terms of Service and ensure your system is appropriately architected for HIPAA. If you're already a Twilio customer seeking a BAA for HIPAA compliance, contact your account manager or request a sales consultation. 

Implementing SMS messaging in your medical practice can enhance communication and patient care while maintaining compliance with HIPAA regulations.