As long as providers remain HIPAA-compliant, they will be able to text patients with ease and see all the benefits that it brings — including stronger patient loyalty, more revenue, and more referrals.

Many people, and that includes patients, prefer to text because it’s quick, easy, and convenient.

Texting is incredibly effective for medical practices for things like scheduling, ongoing care, and more. You should be texting, but you have to make sure you’re staying compliant with HIPAA, or the Health Insurance Portability and Accountability Act, while you do it. This is especially true when texting about a patient’s care that may include personal health information (PHI).

By implementing these five best practices, providers can remain compliant with HIPAA while also satisfying patients eager for convenient care.

But before we even get to the list below, let’s address the biggest potential HIPAA foul providers can make when texting patients: Never text them from a personal device that’s untethered from a HIPAA-compliant system. Data sent directly from a personal device can be intercepted by the wrong eyes too easily. If you’re going to text with patients, you’d be best served by implementing a practice-wide texting software solution (more about this in Step 4).

1. Establish a list of authorized employees who can access patient conversations.

You need to determine who has access control here––specifically who should and who shouldn’t be viewing patient conversations.

An authorized employee would ideally include healthcare practitioners, as well as office administrators and front desk workers who are in charge of scheduling and communicating with patients. Billing and collections department personnel don’t necessarily need to see patient conversations with nurses. So, it’s important to determine which of your staff should actually have access to patient conversations, and who should be sending or managing those conversations day-to-day.

Each department should have its own dashboard to communicate with patients. Within a HIPAA-compliant texting platform, physicians’ practices and hospitals can assign all authorized users their own dashboards so that conversations can be kept separate.

What matters most is making sure that patients know who they’re communicating with, and making sure that manager or administrator can tell who said what to whom and when. You also need to make sure that messages are encrypted and secure—but we’ll cover that more in a minute.

2. Make sure that patients are opted-in to receive text messages.

Patients want to text with providers, and so a “paper trail” of opt-ins need to be created. Texting without their consent can become a liability and violation of HIPAA standards.

The easiest way to ensure that patients are opted-in is to request their consent when they’re filling out paperwork in your office. The question can be: “Would you like to receive updates via SMS?”

Alternatively, by implementing an online SMS chat on your website, patients can be encouraged to text providers themselves. This way, patients can reach out to you on your website with any questions they may have. SMS Chat increases the chances of patients reaching out and booking appointments, which of course boosts provider revenue.

Patients need to opt-in to receive texts but it’s also recommended that providers get express permission from patients to share PHI before texting them about their care.

3. Request proof of identity before sending and receiving text messages.

It’s important to make sure that the text is going to the right patients. So providers need to confirm their identity by asking for  simple credentials, such as their date of birth.

Keep contact information current by requesting patients to update their paperwork when they come into the office in person. If providers haven’t seen patients in a while, this is also a great excuse to re-engage them via text. You might reach out to confirm their name or address or see if they want to schedule their next visit.

4. Implement a secure, encrypted text messaging platform.

HIPAA regulations for texting are all about security and encryption. Providers need to make sure that messages are permanently recorded, searchable, and encrypted. In other words, make sure you keep patient records without other parties being able to access them.

Personal smartphones won’t cut it. It’s going to take extra layers of security to maximize protection—layers you can only get with a HIPAA-compliant, secure text messaging platform. Once a system-wide platform is implemented providers can use their own devices to text patients as long as they are using the encrypted platform.

Tampered or destroyed messages can leave PHI at risk, as well as your practice. Patient information is sacred, and should always be treated accordingly. This can be ensured through an encrypted text messaging platform as well as avoiding the risk of data breaches.

5. Use texting as a way to send advice and pro tips.

Through texting, providers can engage patients outside of their appointments. This demonstrates that the care team truly cares about patients’ wellbeing even when they don’t have any immediate appointments scheduled. This also helps to build patient loyalty for a provider group.

In fact, texts have a 99% open rate, compared to only 5% of calls answered and 15% of emails opened.

It’s cheaper to have patients continuously come back rather than trying to find new ones. A 5% increase in customer retention can increase profits by 25%-95%, whereas acquiring new customers costs 5X-25X more.

Allow patients to opt-in to a text subscriber list so that they can receive pro tips from you. At the end of their appointment, providers can send them a link to a review page along with an option to opt-in to your subscriber list. You can also verbally tell them about it, and ask them to subscribe then.

“Hey, [Patient]! Would you mind leaving us a review? [Link] If you want to receive texts from us about everyday care, text CARE back to this number!”

Send patients things like infographics, tips to educate them on the importance of care—depending on what each practice or group specializes in. Small nudges like this can go a long way for providers’ practices. As long as providers remain HIPAA-compliant, they will be able to text patients with ease and see all the benefits that it brings—including stronger patient loyalty, more revenue, and more referrals.


This post, Follow These 5 Steps to Ensure HIPAA Compliance When Texting Patients, was first shared on MedCityNews on August 17, 2021.