3 Do’s and Don’ts of HIPAA Compliant Text Messaging
By Gil Vidals, , HIPAA Blog, HIPAA Hosting, HIPAA Text, Resources, Security

…and introducing HIPAA Text!

Hackers are surely an interesting bunch. 

On the one hand, they’re the ultimate attention seekers, who nevertheless don’t want to be known.   

On the other hand, they’re not naive. They know something about human nature: we all give our attention to what we value.  

Ask an alien who just landed here what that might be. Or, walk into any waiting room or visit the DMV (ugh) and observe. What do you see? Nearly everyone is staring at a screen. 

Before we jump to conclusions, let’s look for the good: 

Maybe we’re taking the chance to reconnect, strengthen the bonds of relational currency. We may be reading a great book, researching our latest DIY project, or learning another language. Hopefully, we’re taking a second to say je t’aime to someone who needs to hear it.   

For others, it may be boredom, a constant need to be entertained; endless distractions from Socrates’ famous dictum: “The unexamined life…”  through escapism. The reasons are worth noting.

Indeed, the illusion of omniscience (just Google it!) is alluring, and we yearn to fix the world. But knowledge is not the same thing as wisdom.

Our point is, whatever ocean we’re swimming in, the undertow that drags us toward the device is strong.  

Your Attention, Please

And that’s just what the hacker is counting on. They’re betting you’re already looking in the right direction.

This is especially so with messaging because texts get read. 98% of them, in fact – typically within a few minutes of being received. It’s a marketer’s (and hacker’s!) dream.

But how does this apply to texting and healthcare? Should providers rely on texting at all?

After all, providers do prefer texting; so do their patients. 

A survey of “770 hospital professionals and 1,279 physician practices indicated secure texting is becoming the first choice to send information while keeping sensitive data secured.”

So what’s the concern?

Save Yourself!

The issue is, getting your attention is the first goal of social engineering – the art of the scam. 

One danger is “smishing”  – a portmanteau of “SMS” (for short message service, the technology behind texting) and “phishing,” (the practice of deceptive communications, often through email).

If you’ve ever mistakenly clicked on a link, you know how easy it is to be manipulated. 

You see, what hackers understand is that FOMO (fear of missing out) and shaming are powerful incentives. 

Like the original Listerine ad that targeted women who would “never get a husband if they had bad breath,” you need this! You don’t want to miss the chance of a lifetime, do you?

In this sense, what has been said of advertising might equally apply to a smishing or phishing scam: 

“The idea was that these products would deliver some form of salvation to whatever ails the consumer, and they were quite explicit about this.” – Tim Wu, Author of The Attention Merchants 

Act Now!

Which leads us to the hacker’s second goal: to create a sense of urgency

“Your health is at stake! Click here to get a Covid test!” or, the classic “Your bank account has been placed on hold. Click here now!” Or even, “A tax rebate has been issued to you for overpayment. Click the link to continue.”

You say, “Ok, the Covid smishing thing was especially low. But are there other concerns I should have about texting in healthcare?”

How about this scenario: Out of the blue, your patient receives an “urgent text” from you – the health provider or insurance company – asking them to provide personal details. How will they know it’s not really you?   

In this way, the hacker capitalizes on our smartphone attentiveness and urgency to shamelessly exploit human vulnerabilities along with your data. 

They appear to address a need you didn’t even know you had. 

A Big Problem

Lest you think all this is a minor problem, Experian reported that in 2021, 

“87.8 billion smishing attacks resulted in $10 billion in estimated consumer losses—a 58% year-over-year increase in spam texts.”

In late 2021, “a critical part of the global telecommunications infrastructure used by AT&T, T-Mobile, Verizon and several others around the world [operated by Syniverse]… quietly disclosed that hackers were inside its systems for years, impacting more than 200 of its clients and potentially millions of cellphone users worldwide.”  

For healthcare, HIPAA violations have also brought significant fines. Consider the $3 million HIPAA penalty assessed to the University of Rochester Medical Center (URMC) for the failure to encrypt mobile devices and other HIPAA violations.

Add to this the potential lawsuits from those who’ve had their ePHI compromised, and a loss of business reputation for the healthcare provider – including an inability to maintain your practice – and the damages can add up quickly.

So Why Continue Texting?

And yet, the benefits of texting are also clear:

  • Consumers like doing business by texting: 98% of consumers who text expect healthcare to follow suit and provide the same kind of responsiveness with texting that other industries and businesses provide. 
  • Patients appreciate that they need not interrupt their workday or other activities to communicate.
  • Texting is effective, with successful contact rates of 97–99%. This had lead many to say that “Texting is the new phone call.” 
  • Most texts are read within minutes of being received. In fact, the response rate with a text is over 200% higher than with a phone call. (Smart marketers know this, and increasingly rely on texts to convert leads). 
  • Appointment reminders, rescheduling, pharmacy prescription notices, and provider updates can all be done via text. This saves valuable staff time and avoids the inevitable “phone tag,” saving time and provider costs.   
  • Patient engagement and experiences are improved; more positive reviews result. Texting is faster than requiring a patient to log in to a portal to receive updates, which improves engagement and helps to streamline care.

All of this led the Centers for Medicare and Medicaid Services to issue a clarification in 2017 regarding texting patient information among healthcare providers:

“Texting patient information among members of the healthcare team is permissible if accomplished through a secure platform…”

“Texting cannot substitute for a dialogue with a colleague concerning a patient. If the matter is critical or you have any doubt about the communication, it is best to speak directly with your colleague.”

The Do’s and Don’ts 

So we find that texting is, in fact, greatly beneficial to healthcare – provided the following Do’s and Don’ts are observed:

3 Don’ts

  1. Don’t rely on a standard texting service, as it’s inherently insecure. 

As many as 30% of healthcare providers think – incorrectly – that consumer texting programs meet HIPAA security requirements. Yet standard SMS/MMS text messages are not encrypted – a violation of HIPAA. 

In addition, your messages are sent over open networks, which makes it much easier for hackers to steal your data. Your cellular provider actually has the ability to read the messages you send and receive, and they store this data in their systems.

  1. Don’t fail to do a risk assessment of your practice!

Texting may be ubiquitous for both staff and patients, but it’s critical to safeguard your practice by conducting a regular risk assessment. Don’t forget to review all appropriate security measures, including ensuring that encryption has been enabled on all mobile devices; setting the screens to lock automatically if inactive; and implementing a remote wiping function if the device is lost.   

Also, do you have a stated texting policy (attestation document) that clarifies acceptable communications and applications used in conjunction with texting? Does your staff know when a phone call is more appropriate? Do they understand who the approved recipients are? Providing regular education about texting “safe practices” is critical. 

  1. Don’t include anything in a text that wouldn’t be added to the medical record.

Providers do well to remember that if communication about patient care can be made in person or by person-to-person phone call, they should do so. If not, the following advice from healthcare professionals applies: 

“If texting is the only way to communicate, keep texts brief, professional, and to the point. If you would not document the communication in the medical record, do not say it in a text message. Avoid expressing your opinion in a text about the care others have provided, unexpected events, or possible errors. Instead, communicate your understanding of events using an appropriate format, such as in an incident report or during a post-event investigation.”

3 Do’s 

  1. Do use a HIPAA-compliant text service with a secure platform (like HIPAA Vault!) that offers you a BAA. 

As privacy is paramount, a HIPAA-compliant text messaging vendor like HIPAA Vault will use a protected system with a secure server for the storage and archiving of text messages. 

Other key features of a HIPAA-compliant texting solution will include:

  • Encrypted messaging
  • A secure sign-on process/authorized users only
  • Audit controls; delivery and read receipts
  • Date and time stamp
  • Customized message retention time frames

It’s important to say that the use of a HIPAA-compliant text messaging vendor must still be accompanied by appropriate user practices. These include:

  • Devices with multi-factor authentication (MFA)
  • Minimizing identifying patient details in texts
  • Never providing a password or account recovery code via text
  • Double-checking your recipients in the “To” field so as not to send private data to the wrong person 
  1. Do ensure text messages are retained, and integrated with the patient record

Text messaging raises records retention concerns. Text messages discussing patient medical information should be incorporated into a patient’s medical record. Retention of protected health information is governed by a variety of state and federal laws. For example, state medical records laws and Medicare regulations address how long protected health information held by medical providers must be retained, and there are other laws regulating how long health plans must retain participant records. Text messages can be easily deleted. Failure to retain medical information could create records retention issues under state and laws.”

A HIPAA-compliant texting solution that will automatically integrate texts into the EHR is therefore ideal.

“Text messaging can create malpractice risks for a physician or burden of proof problems in a trial. A medical provider may provide incoherent text messaging concerning a patient’s medical care to another provider. This could create problems if the patient does not receive the right treatment or if the text message is not interpreted correctly. If there is a malpractice case concerning the physician’s care, it would be regrettable if the physician put herself in the position of needing text messages but copies of the text messages were not retained.”

  1. Do provide regular training for your staff!

Training staff to protect patient privacy will be critical to successful communication with texting. Points to cover include:

  1. Training on the HIPAA-compliant texting solution, and awareness of the risk associated with a breach of PHI
  2. Review of policies and procedures, and types of patient information that can be exchanged via text
  3. Limiting the amount of PHI sent and received; keeping patient identifiers to a minimum
  4. Maintaining strong password policies
  5. Ensuring device safeguards and mandatory phone encryption

An Extension of your Team

Text messaging is helping to speed healthcare delivery in unprecedented ways. We’ve also noted the potential risks that must be assessed and addressed.

HIPAA Vault knows that health emergencies don’t stick to a convenient schedule – that’s why we’re available 24/7, with personal, dedicated support. We exist to help keep your practice going, and your patients receiving the important care you provide.

Avatar photo

Gil Vidals is the president and CTO of HIPAA Vault. He is a passionate, subject matter expert on HIPAA compliance and the healthcare cloud, and co-host of the HIPAA Vault podcast. Since 1997, Gil’s mission has been to provide uncompromising and affordable HIPAA compliant hosting solutions to commercial and government clients, helping protect their sensitive health information from data breaches and security vulnerabilities. HIPAA Vault has been recognized as an Inc. 5000 company and a Clutch Top B2B company. He can be reached here on Linkedin.