From employees texting bosses to business owners texting customers, many of the unwritten rules and tentative boundaries that once defined who, and what, accounted for “appropriate” texting behavior have largely fallen away. Overall, that’s a welcome development for most folks who find the convenience, clarity, and quickness of texting preferable to voice-to-voice conversation.
But the healthcare system is a somewhat different story. Mobile texting’s rise in the world of hospitals, medical offices, and medical billing companies has been shakier than in many other industries, thanks to valid, worthwhile concerns over patient privacy and the sensitive nature of healthcare information at large.
Even if your healthcare establishment has a highly limited relationship with texting (i.e., it’s “frowned upon,” or only used for patient reminders and alerts), it’s worth revisiting what is, and isn’t, ok when it comes to texting among doctors, patients, and staff. Keep the following tips in mind whenever you unlock your smartphone to ping someone in your medical practice’s orbit.
First Comes HIPAA: The HIPAA/HITECH privacy and security rules cover any communications with electronic protected health information (ePHI) – including email, social media, and yes text messaging – and violations can earn you fines of up to $50,000. Text messages without PHI, however, are a-ok under HIPAA, even if they mention a patient’s name.
Then Comes Trouble: Stay mindful that even non-traditional privacy violations related to texting can put your practice in hot water over HIPAA. After learning doctors at a nursing home had been requesting patient information be sent via text, the CMS intervened with a 10-point remediation plan that required the facility to retrain staff, appoint a HIPAA security officer, and revise its policies and procedures. Notably, they saddled the organization with the compliance program even without evidence that the PHI-loaded messages had ever been viewed by an unauthorized party. The lesson: lock up your texting now, since you don’t even have to ‘get caught’ to get in trouble.
But Compliance is Possible: If communicating PHI via text is vitally important to your providers (due to reasons related to geography, convenience, accessibility, or anything else), then you need to go about it with an eye for hyper-vigilant HIPAA compliance. Contract with a healthcare-specific texting service, making certain that their offering meets HIPAA’s minimum requirements, including:
- A high level of physical security, controls, and ongoing risk assessments for the service’s onsite or offsite data center
- Encryption of PHI in both ‘in transit’ and ‘at rest’ states of communication
- Authentication of intended recipient’s receipt
- Controls enabling all messaging activity to be recorded and/or audited
Use Caution Beyond PHI: Don’t forget to stay diligent about all texting communications among your doctors and staff – even those that have nothing to do with patient health. Text messages are highly vulnerable to hacks, data breaches, and plain-old prying eyes – making common-sense caution a huge priority. Instruct your team to never share medical billing details, patient identifiers, or any financial information via SMS. If they do, they’re simply putting the financial health of your practice management (and your patients) at risk.
...and if you need help from a medical billing service...