A few years ago, I received a text on my phone that clearly wasn’t meant for me.
I Googled the street address to see where the intended recipient had made the appointment referenced in the text. It was Planned Parenthood.
This was a huge privacy breach: the message contained her full name, the date of her appointment, and the exact address. Regardless of the circumstances, the “fat finger” mistake made when the doctor’s office mistyped the intended recipient’s phone number—possibly by only a single digit—illustrates how an innocent mistake could turn into a potentially terrible situation.
I’ve thought about this text a lot over the past couple of years. Text messaging is a preferred way for consumers to communicate with business in general, and according to this year’s State of Texting study by Zipwhip, two out of three consumers prefer to communicate about appointments through text rather than through email or phone conversations. It’s a great area of opportunity for practices and a huge convenience for consumers, but it also comes with some risk, especially given the sensitive nature of communications in our industry and our obligation to protect patients’ privacy. So to navigate the murky waters of texting with patients, I’ve asked HIPAA IT expert Rune Christensen to answer a few questions for us about how to use this technology while protecting patients and remaining in compliance:
Eva Sheie: What was the critical mistake in the text message above?
Rune Christensen: Texting appointment reminders has become the norm for most medical providers. As a patient, I love receiving them as I, like many, sometimes forget to pencil them into my calendar. For the provider, appointment reminders sent by text can reduce no-show rates and improve practice revenue.
Planned Parenthood’s critical mistake was disclosing PHI (Protected Health Information) in the message, resulting in the HIPAA violation. A first name AND last name combined is considered PHI because the patient has been identified. When sent via text, email, or instant messaging we call it ePHI. There are 18 different identifying types of information that is considered PHI. The most obvious are first and last name, date of birth, SSN, address and phone number.
Sheie: Are there specific standards for collecting and confirming mobile numbers that doctors should follow?
Christensen: There are no standards and HIPAA does not have specific rules for texting, which can cause uncertainty and confusion for providers.
As a general rule, text messaging is not considered secure because the information sent to a patient’s device is not encrypted. It is therefore essential that providers who want to text patients obtain written consent from the patient to do so. A solid consent form must be in place before texting. Have the patient write down their mobile number on the form to help ensure the mobile number is accurate (versus speaking it to you and typing it into your system).
Sheie: Can you give us other examples of typical mistakes that doctors or staff make with text messaging?
Christensen: One that catches a lot of people off guard is when an aesthetics provider takes before and after pictures at the request of the patient, and then texts those pictures to the patient’s mobile phone without written consent. Pictures that can identify a person is considered ePHI.
The key to compliance is to not send PHI in text messages. In your example above, a first name only would not have been as bad if the text is sent to the wrong number, and probably would not have been considered a HIPAA violation.
Sheie. Have you seen examples of doctors or staff that are doing it right?
Christensen: Absolutely. I know many providers who use the EHR system’s texting module to communicate with patients after getting written consent. The first text message is always a simple message stating:
‘You have signed up for text messages from Dr. X, to confirm reply yes’
No further text messages are sent until the yes reply has been received by the system. For providers without such a system, a similar manual process can be used to ensure the mobile phone number on file references the intended recipient.
Sheie: Given that many of today’s consumers want to be communicated with by text, how can we ensure it’s done in a way that protects patient privacy and stays within HIPAA guidelines?
Christensen: As mentioned above, have a solid consent form for texting that the patient agrees to. Train providers and staff what PHI is and how not to include PHI in texts. Use a built-in text system if available with your EHR system or subscribe to a HIPAA-compliant texting solution that ensures the texts are encrypted. Finally, make sure you include texting policies in your mandatory HIPAA policy set.
Sheie: Is texting with patients an all-or-nothing decision, or can you limit how you use it to minimize risk and/or follow specific communication standards?
Christensen: You don’t have to use text messaging for everything. You can limit your use of texting to some or all of the following functions:
- Sending and receiving appointment reminders and confirmations
- Questions and answers from existing patients
- Appointment scheduling for existing patients
- Responding to inbound leads
- Marketing to non-surgical patients in small batches (with their opt-in, of course)
Sheie: Are there any platforms or tools you like that make it easy to text with patients?
Christensen: I have seen a number of platforms appear and disappear in the past years. Some didn’t live up to their claims, and some have evolved into total medical team collaboration tools and communication platforms. In general, I have found that stand-alone platforms are more cumbersome and complex to use for both the provider and patient. I would recommend providers first check with their EHR or PM vendor to find out if they have a built-in text module. If not, consider finding a third-party vendor that integrates with the EHR or PM system.
Rune Christensen is a HIPAA IT consultant and healthcare technology expert based in Houston, Texas.