Guidelines For Developing a HIPAA Compliant Text Messaging Policy
Include text messaging in your practice’s electronic communication policy, in addition to policies for email, social media, and the patient portal. Make sure a qualified healthcare attorney,
familiar with privacy and security laws in your state, reviews the policy prior to implementation.
Address these Issues:
- Who in the practice is authorized to text message with patients?
- What type of information is appropriate for texting? Clinical and financial questions? Product reorders? Surgery scheduling?
- Who reviews/responds to patient text messages? Who has access to them?
- How fast will the practice respond? After hours? On the weekend? Next business day?
- Will you allow communication using Protected Health Information (PHI)?
- What happens if a patient sends an inappropriate question, or an inappropriate photo by text? How does the practice handle it?
- Are texts sent on practice-owned mobile devices, personal devices, or both?
- What kind of patient texts trigger staff or the physician to call back instead of text back? Don’t just say “emergencies.” Clarify what you mean. These days people text back and forth about serious issues all the time – they may do the same if they have significant pus coming out their wound.
- How are text messages moved to the patient record?
- What is the process for doing so? How often and by whom?
- Where are text messages archived and how often? Local server? Cloud-based storage?
- How frequently are text messages deleted from mobile devices? Describe the process, how frequently it occurs, and who monitors it.
Customize these Statements:
- The practice sends/receives unencrypted, unsecured text messages only with patients who have signed a statement that explains the risks inherent in unencrypted, unsecured messages. (See #3 in the Practice Brief for a list of these.)
- The practice owns all text data messages and attachments, including images and videos, sent to and received from patients, even if the text messages are on a personal device.
- The manager or physicians can ask to review text messages and data at any time.
- Use of the mobile device (personal or practice owned) is covered under the practice mobile device policy. (This policy includes details such as; password protection requirements, what happens if it is stolen, device upgrades, etc.)
- All mobile devices used for text messaging with patients are encrypted and secure. (Explain how this is done and which encryption software is used.)
- All data from text messages is included in the patient record. This includes text and images. Describe the process, how frequently it occurs, and who monitors it.
To get assistance with creating and managing your organizations policies, give our HIPAA Compliance Officer a call direct at 888-959-0220