Q&A: Communicating with patients via text
Q: Is texting an acceptable way to communicate with a patient? Do we need to ask the patient to sign a form with a statement to the effect that they prefer that we text information on test results, etc., rather than leave a voicemail asking them to call?
A: Sending unencrypted text messages to patients falls into a similar category of sending unencrypted emails to patients. OCR weighed in on encryption in 2013 as part of the preamble to the Omnibus Rule and again in 2014 in the preamble of the final HIPAA Clinical Laboratory Improvement Amendments of 1988 Rule. OCR views encryption as a reasonable safeguard, in essence stating that even though encryption is an addressable implementation specification, OCR intends to enforce the rule as if encryption is required.
Secure texting tools have come a long way over the past few years. There are good tools available on the market, and they don’t break the bank. We’re moving to a point where OCR will likely take the same position as with email—where encryption is required.
It is advisable to request the patient sign a form indicating their communication preferences such as the practice of sending an email or a text message with updates that include PHI. That way you can also communicate to patients the risks associated with unsecure text and email messages. That’s the proof you need on hand if a patient later indicates you never informed him or her of the risks associated with sending PHI over the internet or via cell towers unencrypted. If your text only includes a message such as, “A new test result is available through our patient portal,” that reveals no PHI and is an acceptable method of letting patients know there’s new information available for their review.
Editor’s note: Chris Apgar, CISSP, is president of Apgar & Associates, LLC, in Portland, Oregon. He is also a BOH editorial advisory board member. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are those of the author and do not represent HCPro or ACDIS. Email your HIPAA questions to Associate Editor Heidi Samuelson at hsamuelson@hcpro.com.