Are you texting patients? Make sure they are HIPAA compliant

Are you texting patients? Make sure to stay on the right side of HIPAA regulations

These days, convenience is king. We buy clothes, order groceries to our doors, and stream music, shows and movies without ever setting foot in a store. Instead of picking up a phone and waiting on hold, we often prefer to fire off a quick text. And people who work in healthcare aren’t immune. In fact, a 2018 survey of 775 healthcare professionals found about 85 percent of hospitals and 83 percent of physician practices used texting platforms to communicate internally or with patients and their families.

Patients love the ease of texting as well. In a 2021 survey, 76 percent of respondents said they use texting to help manage their healthcare needs.


But this convenience comes with a price.  When handled incorrectly, texting can expose protected health information (PHI) and violate the Health Insurance Portability and Accountability Act of 1996, commonly referred to as HIPAA. Violations of HIPAA can come with penalties ranging from fines of up to $50,000 per day the breach is not corrected to jail time, depending on severity. Close to one third of the respondents from the same 2018 survey said they have received an unsecured text that contained identifiable health information.

Here’s how to be HIPAA complaint while enjoying the speed and convenience of texting.

Use a secure platform

You won’t find savvy healthcare workers texting patients the same way they’d text their friends and family. Anyone could pick up their phone and suddenly have access to the patient’s medical information. The messages could be sent to the wrong phone number or forwarded to someone else without the patient’s consent. Standard short message service (SMS) and instant message (IM) texts also remain on the service provider’s servers indefinitely with no way to redact them.

How do I make my text messages HIPAA compliant

Instead, most rely on secure HIPAA compliant text platforms. They’re protected by passwords and monitored to ensure they are only accessed by authorized personnel who need the information to do their jobs. They also use encryption that makes protected information unable to be copied and unreadable once it exists the organization’s firewall. Most automatically log users out after a period of inactivity.

Ask for consent

You should never text a patient without getting their consent. The first step is to explain the kinds of information you intend to send via text and some of the measures in place to ensure the safety of the communication. It’s also important to clearly explain what information you tend to share via text. Some patients may be fine with receiving a text reminder of their next appointment, but not with receiving PHI, such as names of medication they take, that way. The best practice is to provide tiered consent options. Patients should have the power to opt in both to receiving text messages at all and to receiving texts that might contain PHI. They should also be offered the chance to opt out from either tier at any time.

Control who has access

Just because you’re using a secure texting platform doesn’t mean you’re not in breach of HIPAA. Allowing employees who do not strictly need the protected information to access it can lead to issues as well. The most secure platform in the world isn’t any good if it’s open to everyone from doctors to the janitorial staff. So, control permissions for the system so only those who need it can access it. You should also monitor who accesses it, when, and for how long. And double check that the information is being texted to the correct recipient every time. A wrong number can undo all the hard work you’ve put into security.

Reconsider the information you send

The best defense against PHI getting in the hands of the wrong person is not to send it at all. Even with the best safeguards, leaks can still happen. So, consider limiting the information you send via text to types that don’t contain PHI. You can send reminders about appointment times and prescription refills (without naming the prescriptions) and announcements that test results are ready and can be obtained by calling the office, all without those severe HIPAA violation consequences. Limiting the kinds of data you send via text lets you and your patients benefit from the convenience of texting while adding an extra layer of protection for sensitive health information.

How can I learn more?
The path to safe texting starts with the right ophthalmology practice management software. Yours should come with secure communication functions baked in. To discuss your options, contact Eye Care Leaders.

Let’s Connect

Drop a line for our sales representative to get in touch with you

  • This field is for validation purposes and should be left unchanged.

Latest Article


How to Improve EHR with the Help of AI

  • 25 Nov 2022

Electronic health records (EHRs) are useful, but did you know that they could be even better? It’s true. But usually, this improvement isn’t a solo effort. Artificial intelligence (AI) could ...


Why Patient Financial Experience Should Be Your Practice's Priority

  • 18 Nov 2022

While your patients visit your health care practice because of medical concerns, they might also have other worries. Their finances may also be causing them anxiety. Maybe they’re even worried a...


How EHR Billing and Coding Can Improve Revenue Cycle

  • 18 Nov 2022

Billing is a vital part of medical practices, providing the funding that helps keep them operating. Because billing is so critical, it’s useful to have help. Electronic health record (EHR) tools...

Download Article

Book a Callback