Close this search box.

HIPAA, Text Messaging, and Your Practice: 5 Compliance Tips

A Header Image Featuring A Rehabilitation Physical Therapy Patient In Activewear, Using Their Cell Phone To Text A Provider. The Headline Reads: &Quot;Hipaa Text Messaging And Your Practice 5 Essential Compliance Tips&Quot;

You do it. We do it. 81% of Americans do it. Call it what you will–SMS, texting, messaging–but there’s no denying that it’s simply a part of daily life.

For outpatient rehabilitation therapy practices, text messaging can be an indispensable tool. As your practice grows, you can automate text appointment reminders or patient engagement campaigns. Even compared to tried-and-true email marketing, texting has its advantages–like six times the average click-through rate!

Of course, if you’re going to do something, you’ve got to do it right. Especially in healthcare. To connect with patients and reap the rewards of SMS text messaging solutions, you must first take the necessary steps to ensure HIPAA compliance and protect patient privacy. 

So how do you achieve compliance in patient texting? Read on to discover five best practices to remain HIPAA-compliant as you implement SMS into your patient engagement strategy.

1. Understand HIPAA Text Messaging Rules

The first step, before anything else, is to understand why it’s so important to comply with HIPAA text messaging rules and regulations. The benefits of adopting modern technologies–like text messaging platforms–are undeniable. However, healthcare providers and other entities under HIPAA must understand the risk that “advances in electronic technology could erode the privacy of health information” (U.S. Department of Health and Human Services).

Who is considered a “covered entity” under HIPAA?

If you’re employed by any hospital, outpatient practice, clinical lab, or health center in the U.S., you’re probably quite familiar with HIPAA regulations. Covered entities under HIPAA include healthcare providers, clearinghouses, and health plans.

Additionally, any business or organization that deals with protected health information (PHI)–including electronic (ePHI) data–is also subject to HIPAA regulation. Simply put, these “business associates” are subject to the HIPAA Security Rule and Privacy Rule, just like healthcare providers. 

“A ‘business associate’ is a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information.”
U.S. Department of Health and Human Services (HHS)

That includes electronic medical records systems, like Raintree’s EMR for Therapy and Rehab, which store and manage secure databases of health information. Together, we’re all responsible for protecting sensitive patient data.

What are the consequences of HIPAA non-compliance?

The consequences for HIPAA violations reflect the weight of responsibility that comes with protecting PHI.

HIPAA fines can be as high as $1.5 million for serious violations, but financial penalties aren’t the only consequence. Violations can result in ongoing oversight by the Office for Civil Rights, as well as negative publicity. The result of non-compliance, aside from the financial and administrative consequences, is the possible loss of patient trust.

So, how do you keep your practice from unintentionally violating HIPAA while sending texts to patients? A secure messaging platform, designed specifically to meet the requirements of your practice, is a necessity.

2. Utilize Secure Messaging Platforms

Compliance starts with the right systems. Not just any messaging app will do. Healthcare practices need HIPAA-compliant technology. As stated by the HHS, HIPAA rules generally require “business associates enter into contracts to ensure that the business associates will appropriately safeguard protected health information.” These contracts are known as Business Associate Agreements (BAA).

The right system should be secure. Patient engagement suites like Connect™ lower the risk of data leaks with encryption.

Illustration Hipaa Compliant Data Encryption For Emr And Patient Engagement

Data encryption converts your messages, directory information, and other proprietary information into an unreadable format. Encrypted texts are protected from being stolen, changed, or compromised on the way to their intended recipients. 

Beyond encryption, advanced security measures protect your practice and your patients from unauthorized disclosure of PHI. Features of a HIPAA-compliant text messaging system may include:

  • Secure databases. When you use a HIPAA-compliant service secure messaging system, the data is stored securely on the vendor’s servers. In contrast, if you text a patient with your personal cell phone, the data is stored on your cell phone carrier’s servers and this is a HIPAA violation.
  • Time-out functions. These automatically log users out after a certain period of inactivity.
  • Granular user permissions and access controls. Ensure that access to PHI is limited to authorized users.
  • Audit logging. All systems that contain PHI must have an audit log to prevent unauthorized access and allow forensics in the event of a security incident.

Protecting patient data is the top priority, but there are additional benefits to investing in a patient communication system that’s tailored to your medical specialty. Connect™ offers game-changing tools like two-way texting, patient engagement campaign templates, telehealth, and more–all on the same platform as our powerful EMR.

3. Clarify Patient Preferences

Implementing secure texting software is just the start. You can’t kick off any campaigns without your patients opting in!

Your patients have an unwaivable right to the security and privacy of their health information. As such, HIPAA requires covered entities to request patient preferences for communication. Whether it be email, voicemail, snail mail, or text, patients must opt in to receive messages from your practice.

Before texting patients, you should also allow them to select preferences regarding the types of communication they may receive (e.g. marketing, appointment reminders, or other topics). For a streamlined experience, collect patient preferences during the initial intake process.

From then on, patients should be able to change their preferences, opt out, or update their contact information at any time. Offering a modern patient portal is a great way to provide ease of access to communication preferences, alongside health records, scheduling tools, and more.

4. Train and Educate Staff on Texting Policies

Staff training is an integral part of HIPAA Administrative Safeguards. It ensures the workforce adheres to and enforces various safeguards when handling patient information. HIPAA’s Security Rule mandates covered entities to provide security training to all workforce members, as well as periodic retraining.

Illustration Secure Text Messaging For Rehabilitation Therapy Outpatient Practices

For your physical therapy and rehabilitation practice, consider additional training and security measures such as:

Implementing internal policies.

Set practice-wide standards regarding personal devices and communications. Texts between colleagues on personal devices may seem convenient and “private,” for example, but they’re not a secure and protected texting solution.

Emphasizing personal responsibility.

Don’t forget: HIPAA doesn’t just affect your organization. Individuals found responsible for violations can also be subject to termination of employment, financial penalties, or even jail time.

5. Conduct Risk Assessments

Regular risk assessments are necessary to identify security gaps and avoid breaches. Rehabilitation practices can oversee risk assessments for physical, technical, and administrative safeguards by:

  • Defining the accessible PHI
  • Assessing the security measures
  • Identifying the gaps
  • Evaluating the risks
  • Documenting the assessment
  • Implementing security measures to safeguard PHI

This may seem like quite a task. Thankfully, we know at least one way to make it simpler. With our certified electronic health record (EHR) technology (CEHRT), Raintree can help reduce your risk assessment burden. All certified EHRs attest to regular security risk assessment, meaning that we work diligently to review and ensure the safety of your systems.

Frequently Asked Questions

What are the benefits of text messaging for patient engagement?

Undraw Respond Re Iph2

Text messaging is a quick and direct communication channel that can form part of your patient engagement strategy. It’s often a more convenient communication method for practitioners and patients alike. Offering text messaging options allows your practice to meet the needs and preferences of patients who prefer this mode of digital communication.

Does HIPAA allow text messaging?

Text messages aren’t specifically prohibited by HIPAA laws, but practices still need to take responsibility for protecting patient health information. As long as administrative, physical, and technical safeguards are in place to ensure patient privacy and security, healthcare organizations can use text messaging to communicate with patients.

When is it OK to text patients?

Rcm And Billing Computers

Your practice may communicate with patients via text messaging, but you must:
• Utilize a secure platform provided by a HIPAA-compliant business associate
• Confirm patient communication preferences
• Implement practice-wide texting policies and conduct staff trainings
• Undertake regular risk assessments

Can you send PHI via text?

It is possible to send messages containing PHI, but it must be sent via a secure messaging service with user-confirmed preferences in place.

How do I send HIPAA-secure text messages to patients from the office?

Undraw Engineering Team Re Fvat

If your practice would like to start sending text messages as part of your patient engagement strategy, the best option is to use a HIPAA compliant texting service, like Connect™.

What is an example of a HIPAA violation in text messaging?

Texting a patient’s name or any personally identifiable health information from a personal cell phone or unprotected texting platform violates HIPAA. Without a HIPAA-compliant system, the transmitted data may be at risk of security breach, modification, or other unauthorized access.

Can providers text each another about their patients?

When unable to communicate face-to-face, healthcare professionals can only discuss patients’ protected health information using a HIPAA-compliant messaging system. Providers, including rehabilitation therapists, should never discuss identifiable patient information via texting apps, personal phones, or other mobile devices.

Best HIPAA Compliant Text Messaging for Therapy and Rehab Practices

Connect™ is a patient engagement suite that covers all your communication needs, from automated messaging–like appointment reminders, waitlist engagement, and post-visit surveys–to telehealth features and patient portals that your patients will love. The two-way texting feature allows patients and providers to send and receive messages, creating simple, secure patient-provider communications.

People Chatting Via Mobile Device

Raintree Connect™ is everything you can ask for in a patient engagement and messaging solution. Why not see for yourself?

This blog was created for educational and informational purposes only.  The information provided does not constitute or, is not intended to constitute, legal or medical advice. When you read this information, visit our website, or access our materials, you are not forming an attorney-client, provider-patient, or other relationship with us.

Table of Contents

Rehab Therapy Insights in Your Inbox

This field is for validation purposes and should be left unchanged.

Get Rehab Therapy Insights in Your Inbox

This field is for validation purposes and should be left unchanged.

Blogs are created for educational and informational purposes only.  The information provided does not constitute or, is not intended to constitute, legal or medical advice. When you read this information, visit our website, or access our materials, you are not forming an attorney-client, provider-patient, or other relationship with us.

A simple mockup of an eBook titled: The Impact of Customer Experience on Practice Revenue."

Wait! Want to boost your revenue and patient satisfaction?

Don’t leave without this free guide for PT, OT, SLP and multi-disciplinary therapy.

Please enter a valid phone number. Do not include - or ().
This field is for validation purposes and should be left unchanged.