How to send HIPAA compliant SMS messages

HIPAA compliant SMS

Texting can be an incredibly helpful tool for healthcare providers. With open and reply rates of 98% and 45% respectively, it’s the most effective channel to communicate with patients and make sure important information is actually being received.

Take appointment scheduling, for example. A new patient comes to your site and sees an option to chat with a representative via text. After a few messages, an appointment is scheduled and the patient receives an SMS confirmation. The day before, an automated text reminder goes out to help reduce no-shows without having to call patients one by one - and no-shows, by the way, cause the U.S. healthcare system to lose $150 billion annually.

That’s all great. But there’s one caveat.

Because these types of communications often include protected health information (PHI), it’s required that healthcare providers and their business associates have procedures in place to ensure that PHI is being shared in a confidential and secure way. These procedures are regulated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Violating HIPAA rules can result in fines, civil and criminal penalties, or worst of all - the break of patients’ trust.

In this article, we’ll briefly cover the basics of HIPAA and its implications on SMS communications with patients. 

What is HIPAA?

HIPAA stands for Health Insurance Portability and Accountability Act, and is a federal law that sets national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.

Is SMS a HIPAA compliant channel?

SMS is not inherently secure as a channel, because messages can be unencrypted and exchanged on personal devices.

However, there are ways to use SMS in a HIPAA compliant manner. To do so, healthcare providers need to a) make sure patients give consent to use SMS as a communication channel and b) use a business solution that has the right security guardrails in place to protect PHI.

How to choose a HIPAA compliant SMS provider:

For an SMS provider to be HIPAA compliant, they need to go through a series of steps to prove that they’re taking the necessary precautions to keep PHI safe, such as encrypting messaging data and logging user activity on the platform. To confirm if a vendor is in fact compliant, you can ask for their HIPAA report.

You can also check if vendors offer features like user management tiers, allowing only individuals with a certain level of access to see information that is exchanged on the platform.

Finally, you’ll also need to sign a BAA (Business Associate Agreement) with your business SMS provider, which is a written arrangement that specifies each party’s responsibilities when it comes to PHI.

Where can I learn more about HIPAA compliant messaging?

We have a comprehensive HIPAA article in our Help Center.

Also be sure to check out our Guide for text messaging in healthcare.

Avochato is a fully HIPAA compliant platform. Talk to us about HIPAA compliant messaging, or start your free trial today.