Question
Welcome to a Bite-Size HIPAA® Q&A article, where we answer your questions about how HIPAA applies to your dental practice. We recently received the following question in our Bite-Size HIPAA® Q&A inbox. The writer says:
"We are implementing text message communications in our office mostly for appointment reminders and I am not sure how to do it correctly under HIPAA. The company we are signing up with doesn’t seem to think we need to do anything other than allow patients to opt out, but I thought all communication had to be encrypted."
Is It PHI?
Thank you for your question! In today’s world every office needs to be able to use texting and email for communication so I am glad we can address this. Let’s see what the HIPAA law has to say about communicating with patients via text messages.
Our first step is always to ask if the information being transmitted is considered protected health information? Here, the answer is clearly yes. The patient's name along with any details regarding an appointment or treatment are indeed considered PHI, so HIPAA is applicable.
Three Exceptions
Next, we need to figure out when HIPAA allows the disclosure. Remember our basic rule is that you cannot disclose PHI without patient authorization unless there is a specific permitted disclosure rule that applies. The permitted disclosure that applies to this question is the rule for disclosures for treatment purposes. Any communication about an appointment, either a reminder or follow up, will be part of the patient’s treatment so you can make the disclosure without a patient authorization. But the meat of this question is really about whether the form of communication is allowed. Let’s look a little deeper at the law to see what it has to say about this.
The HIPAA Law
HIPAA does not explicitly prohibit using text or email for communicating PHI, but the technical safeguards in the Security Rule (45CFR 164.312) do require providers to implement reasonable safeguards to protect ePHI from unauthorized access. Encryption is typically how this is done for email, but that doesn’t work for text messages. However, under 45 CFR164.522(b), HIPAA requires providers to communicate with patients via less secure means if the patient requests it. So, under HIPAA, the only way you can send PHI via text is to get the patient to agree to request text message communications. It is an opt-in system, not opt-out. That means before you ever send a text message to a patient, you need to ensure you have received informed consent from them. That means that you need to provide adequate warning of the risks inherent in text messaging, and the patient must acknowledge that they wish to use this form of communication despite the risks.
HIPAA doesn’t prescribe the exact wording for the warning text, but you need to hit a few key topics.
- First, you need to tell patients that text messages are not encrypted while being transmitted between you and them and could be intercepted and read by someone without them knowing it.
- Next, you should warn them that the messages are often not stored securely either. Messages are usually saved everywhere we access them, which includes smartphones that likely are not encrypted. Additionally, they are stored by our cell phone carrier.
- Finally, patients need to know that there is always a risk that their phone number may be typed incorrectly.
After you describe all these risks, patients can then give their informed consent to unsecured electronic communications. This is done with a simple statement that says something like:
"I understand the risks of unencrypted email and text messages and hereby give permission to communicate with me and share my protected health information via text."
SUMMARY
To summarize - HIPAA allows (or actually requires) providers to send PHI via text message if the patient requests it and gives informed consent. Remember, even if you are using a third party to do the messaging, it is up to you to make sure you have proper consent from each patient.
Have a HIPAA Question?
If you have a HIPAA question related to the day-to-day operations of your dental practice, feel free to send it my way. My email address is todd(at)bitesizehipaa(dot)com. I can’t promise I’ll be able to get to every question submitted – but I’ll do my best to find the most applicable ones to address in future Bite-Size HIPAA® Q&As.