One of the most pervasive myths about texting for FQHCs is that it inherently violates HIPAA, the Health Insurance Portability & Accountability Act. That’s understandable since the act was signed into law in 1996 — well before texting became mainstream. Despite this timeline, there are many ways to use texting in HIPAA-compliant ways.
For FQHCs who want to tap into all the benefits that text messaging provides in communicating with underserved populations, there are multiple options to do so while respecting your patients’ privacy and complying with regulations. First, let’s look at how texting relates to HIPAA-compliance.
Does Texting Violate HIPAA?
The short answer is no, texting does not inherently violate any HIPAA regulations. But it is an unencrypted form of communication, so HIPAA applies in specific ways.
HIPAA privacy regulations protect the confidentiality and security of protected health information (PHI) during its receipt, transfer, handling, or sharing. It applies to all PHI including oral, electronic, and paper formats. This means that texting only intersects with HIPAA regulations when PHI is being transmitted and when it’s being transmitted to certain recipients. It is completely possible to use text messaging as a component of a HIPAA-compliant communications strategy.
For example, it’s fine to send messages that don’t include “personal identifiers”. (More on this shortly.) This includes updates like health center hours during a renovation and health education programs.
It would also be ok for a doctor to text a patient as long as the patient has been notified of the risks of sending personal information through an unencrypted method. A good illustration of this lives in the CareMessage platform. We are-HIPAA compliant, meaning the data in our web-app is protected and encrypted. However, since text messages are unencrypted (sending encrypted texts requires a secure, internet-based messaging app that could be a financial burden to many underserved users), we do not send messages with PHI or any personal information that would identify a user or patient. We also encourage our partners to establish a review process for their communications to make sure they’re comfortable with the content. The CareMessage platform also offers staff restrictions to ensure that only authorized staff members are able to message patients.
Additionally, it’s ok to send texts when mechanisms to comply with the HIPAA Security Rule have been put in place.
All this said, there are some special considerations to make for texting.
The Content Question
Content is king in regard to HIPAA compliant texting. This means understanding what constitutes PHI is the first step in maintaining the highest levels of HIPAA compliance possible at your FQHC. Here are the 18 identifiers that qualify information as PHI.
- Dates (except year)
- Telephone numbers
- Geographic data
- FAX numbers
- Social Security numbers
- Email addresses
- Medical record numbers
- Account numbers
- Health plan beneficiary numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers including license plates
- Web URLs
- Device identifiers and serial numbers
- Internet protocol addresses
- Full face photos and comparable images
- Biometric identifiers (such as retinal scans and fingerprints)
- Any unique identifying number or code
So for example, sending a general appointment reminder for an upcoming foot exam is ok (as long as it doesn’t specify the reason for the visit). Sending them their HbA1c results via text is not.
Potential Risks and How to Manage Them
So what’s the risk when you violate a HIPAA regulation as an FQHC?
You’ve likely heard stories of FQHCs receiving high penalties for HIPAA violations. In many of these cases, the penalties were due to the health center not responding to existing violations that they were already aware of. Maintaining HIPAA-compliant patient communication is highly possible, especially with vendor partners who understand FQHC security challenges and are willing to share best practices to help you in your compliance journey — something we prioritize at CareMessage.
FQHCs invest years and decades building goodwill with patients who are likely to have low levels of trust for healthcare providers. Training your staff and managing risk through technology and process improvement in ways that protect against breaches and potentially damaging identity theft help to uphold the high standards of trust you’ve worked so hard to achieve.
Secure Texting for FQHCs
At CareMessage, we take your patients’ privacy and security seriously.
When we collect, maintain, access, use, or disclose your patients’ PHI, we use systems and processes that align with information privacy and security requirements under applicable federal and state laws, including, without limitation, HIPAA. We also default to allowing your patients to "opt out" after they receive a welcome message so that only people who are comfortable exchanging information via text message remain engaged in your texting programs.
We can also support you in properly informing patients of the encryption risks and precautions they should take when communicating their PHI. If you’d like more information about what that should look like for the unique needs of your FQHC, fill out the form below and we can start a discussion.