HIPAA Compliant Texting

Phone calls have made medicine infinitely more efficient, but it has its downfalls, like playing phone tag and full voicemail boxes. 63% of patients state they prefer texting over calling.

Texting and video calls take technology in medicine to the next level. With these new convenient care options come new risks. How can you text safely with patients and colleagues within HIPAA guidelines?

HIPAA compliant text messages must follow certain guidelines, including:

Secure software is also essential in HIPAA text messaging. Most healthcare organizations use a HIPAA compliant messaging app. Some of the best healthcare secure messaging apps on the market include:

LumaHealth
TigerText
Zinc
Notifyd
OhMD
Providertech
Spok

Below, we will briefly discuss the rules regarding HIPAA and text messaging, including which types of text messages that are healthcare-approved and why.

Next, you will find a guide of best practices for HIPAA text messaging, which you can bookmark to reference when texting patients and colleagues in the future.

Finally, we will reveal our top-rated HIPAA compliant texting apps, and what features set them each apart, so you can choose one depending on your needs and preferences. We will also address other HIPAA-technology FAQ.

HIPAA and Texting: Is it Allowed?

Because HIPAA does not specifically mention SMS messaging, the topic of HIPAA and texting is leaving many healthcare providers completely bewildered.

If you research HIPAA compliant messaging, you’ll find mixed conclusions. Some individuals claim that it’s safer for healthcare providers to avoid text messaging altogether, while other data shows that even unsecure healthcare messaging is not strictly a HIPAA violation.

Confused yet? HIPAA and texting seems like an intimidating topic at first glance, but there’s no getting around confronting it in the midst of the evolution of telemedicine.

While texting patients or colleagues is not necessarily a HIPAA violation, it is likely that it will become a HIPAA violation unless proper precautions are in order.

Whether or not texting is HIPAA compliant depends entirely on the content of the messages, the recipients, patient consent, and security measures.

With telehealth growing at an astounding rate, healthcare secure messaging is not only useful, but essential.

Why is HIPAA and Texting a Problem?

There is nothing wrong with physicians using text messages per se, but it is far too easy to slip into HIPAA violations when text messaging. Why?

Texting breaks HIPAA rules if the messages contain any protected health information which a patient has not consented to texting. Unless a text message is encrypted and properly secured (and traditional SMS messages are not), it may very well be a HIPAA violation.

It’s important to note that healthcare secure messaging is not only regulated by HIPAA, but healthcare organizations are also subject to the Telephone Consumer Protection Act (TCPA). TCPA has requirements in place for organizations and sales companies, such as avoiding calling before 8 AM or after 9 PM, or not contacting those on the “Do Not Call” list.

Some of the TCPA regulations on healthcare secure messaging state that voice calls and text messages must...

State the healthcare provider’s name and contact information
Not include any telemarketing or solicitation
Comply with HIPAA privacy rules
Be concise -- 160 characters or less for text messages

A healthcare provider may initiate only one message per day, up to a maximum of three voice calls or text messages per week. These are just a few of the TCPA regulations on healthcare secure messaging and calls. You can read more on this NAHAM checklist.

Drawbacks of Texting in Healthcare

It may be safer for Covered Entities to prohibit texting altogether rather than risk the penalties for HIPAA violations, because they happen so often with text messaging. It is up to each organization to determine which communication methods work best for them.

Some of the drawbacks of texting important health information are:

Anybody can pick up an unattended mobile device and read and send messages.
Mobile devices can easily be lost or stolen, thus exposing important patient health information.
Messages can be used to commit insurance fraud or identity theft.
Text messages can be intercepted.
There is a risk of misinterpretation. The recipient or sender may not understand the expectations or tone of a text message, resulting in confusion.
Onboarding may be challenging, as patient opt-in is required to send text messages, and some patients do not prefer texting.
The patient may not respond or confirm when they should, leading to more contact work or scheduling incertitude.

For the most part, these drawbacks can be overcome with technological precautions and proper training. If a healthcare facility lacks access controls, audit controls, or encryption, they may not be able to ensure healthcare secure messaging.

Advantages of Texting in Healthcare

The purpose of technology is to make life a little more convenient, especially for hard workers like healthcare providers. Here are the advantages of HIPAA text messaging:

Healthcare workers can remind patients to take medications, fast before surgery, schedule annual wellness visits, and otherwise take care of themselves.
Texting can cut costs, with fewer hours needed to call or meet with patients.
Healthcare institutions can collect patient feedback quickly and easily through text messaging.
Patients are significantly more likely to read a text message than they are to answer a phone call.
Automatic text messages can remind patients to call the office, therefore generating inbound calls and eliminating games of phone tag.
Providers can offer education and support without physically seeing the patient.
Printed information is likely to be lost more misplaced, whereas text messages are more reliable.
Links with additional information can be sent via healthcare secure messaging.
Texts can quickly collect appointment confirmations, thus reducing cancellations and no-shows.
Institutions can text message polite reminders regarding overdue payments and direct patients to bill pay websites.
Texting is a more reliable way to inform patients about a schedule change due to an emergency than leaving a voicemail.

Researchers show that text messaging can help patients with chronic diseases manage their health -- for example, patients with diabetes and high blood pressure can be prompted to take or renew medications, call their physicians, or otherwise care for themselves.

The advantages of healthcare secure messaging outweigh the disadvantages, making it worthwhile for many practices to download the software and complete the necessary training to begin communicating with patients through HIPAA compliant texting.

What is HIPAA?

HIPAA stands for the Health Portability and Accountability Act, which became law in 1996. HIPAA is a set of policies designed to maintain patient privacy and safeguard PHI. With all of the sensitive information exchanged in healthcare, regulations preventing record breaches are essential. That’s where HIPAA comes in.

HIPAA puts multiple safeguards in place to ensure confidentiality and reduce fraudulent activity. It allows only patients and pertinent medical staff to access important healthcare data.

HIPAA states that healthcare workers can only disclose health information for treatment purposes. Any other disclosures require patient authorization.

Healthcare workers are required to do their part in protecting patient information. They should report security breaches and unauthorized disclosures to their administration.

What is PHI?

PHI, or Protected Health Information, constitutes all individually identifiable health information. Examples of PHI include:

First and last name
Birthday
Address
Telephone numbers
Social Security and driver’s license information
Medical record numbers
Account numbers
Insurance information
Names of relatives
Biometric identifiers
Geographic locators
Full face photographic images

Some patient information is not considered PHI because it is not personally identifiable. An example of non-PHI data would be blood sugar readings without any personally identifiable information. Basically, any medical or financial record with any personal patient information on it is considered PHI.

PHI is used in healthcare on bills, prescriptions, scans, blood test results, phone records and more. While this information is essential in healthcare, it is also the exact information used in cases of fraud and theft.

Healthcare workers utilize HIPAA to protect PHI. Any device or application that stores, records or transmits personally-identifiable patient data (such as text messaging) must be HIPAA compliant.

What is a Covered Entity?

The phrase “Covered Entity” refers to anyone who provides treatment, payment, and operations in healthcare, including insurance, clearinghouses and medical providers. You will see this phrase come up often when discussing HIPAA policies and compliance.

Why Must Texting be HIPAA Compliant?

HIPAA exists to protect patients and healthcare providers, so HIPAA compliant text messages will prevent dangerous privacy breaches.

Text messaging is not a secure messaging technology, because phone carriers store all text messages. Messages stay behind, unlike phone calls, which are not unintentionally recorded. Regular texts are not encrypted, and phones are in danger of being lost, broken, or hacked.

The consequence of willful violation HIPAA SMS policies range from $100 up to $50,000 per violation per day, with a maximum fine of $1.5 million per year. HIPAA violations can also lead to license suspension and termination.

When and How is Messaging HIPAA Compliant?

In today’s world, there is a time and place for HIPAA compliant messaging.

Patient permission, physical and technological shields in place, and a HIPAA compliant messaging app are the keys to compliant communication.

What Makes a HIPAA Compliant Text?

Patient consent is everything when it comes to HIPAA compliant messages. Texting information to patients is permitted by HIPAA if the Covered Entity has warned the patient about all of the risks of text communication, and has obtained the patient’s consent to communicate via text message. Covered Entities must keep the given warnings and consents on record.

Here are some examples of HIPAA text messaging that are often considered safe:

Messaging with employers who have self-insured health plans for employees, or who act as a mediator between employees, healthcare providers, and health insurance plans
HIPAA text rules can be waived by the U.S. Department of Health and Human Services after a natural disaster (see the COVID-19 and HIPAA Text Messaging section below)
Transactional text messages can be HIPAA-friendly, like appointment reminders, missed appointment reminders, regular physical reminders, check-in reminders, and room ready reminders
Promotional text messages are often used in accordance with HIPAA, for example: Scheduling followup appointments, advertisements of new services and products, health care tips, and patient satisfaction surveys

To ensure HIPAA compliant text messages of any form, special software is necessary, along the Minimum Necessary Standard and the physical, technical, and administrative safeguards of the HIPAA safety rule. Learn more in the Best Practices for HIPAA Compliant Text Messaging section below.

COVID-19 and HIPAA Text Messaging

In February 2020, the Office for Civil Rights of the U.S. Department of Human Health Services added a reminder to their bulletin: “In light of the Novel Coronavirus outbreak, the OCR is providing this bulletin … to serve as a reminder that the protections of the Privacy Rule are not set aside during an emergency.”

The bulletin goes on to remind Covered Entities about HIPAA standards -- when and how patient information can safely be shared, and when it is a violation of patient privacy.

However, in March 2020, the OCR in the U.S. Department of Human Health Services released another statement regarding the pandemic, telehealth, and HIPAA.

During the COVID-19 national emergency, which also constitutes a nationwide public health emergency, covered health care providers subject to the HIPAA Rules may seek to communicate with patients, and provide telehealth services, through remote communications technologies. Some of these technologies, and the manner in which they are used by HIPAA covered health care providers, may not fully comply with the requirements of the HIPAA Rules.

OCR will exercise its enforcement discretion and will not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency. This notification is effective immediately.

While the Department of Health is primarily concerned about patient privacy, it also recognizes the unprecedented and pressing need to contact patients through technology. There is no specific mention of SMS messaging; insead, the statement delves mainly into video chat technology.

Remember that these statements are never comprehensive, likely not permanent, and still operating under the “good faith provision” of providers. Everyone is still responsible for taking necessary precautions to make text messaging, phone calls and video chatting as safe as possible during this time.

Best Practices for HIPAA Compliant Texting

If you’re new to the world of HIPAA text, you’re not alone -- half of the world medicine is right there with you, puzzling about healthcare secure messaging.

As long as you take various security measures to protect PHI, you can successfully formulate and send HIPAA compliant messages.

You can bookmark this page for future reference. Every time you go to send a healthcare-related text, you can use this information to identify whether it is HIPAA-approved or not.

First, here are the rules for HIPAA and texting in their simplest form for your reference. You will find detailed explanations of each policy for HIPAA compliant text messages to follow.

Access controls
Audit and reporting controls
Prevention of modification and destruction of text messages
Patient consent and authentication
Secure data centers
Thoughtful content

Keep in mind the goals of HIPAA compliant text messaging: Prevent data breaches, including acquisition, access, use or disclosure of PHI by an unauthorized individual.

Access Controls: Who Is Authorized to Send and Receive Text Messages?

First and foremost, there must be procedures and policies in place to manage who is able to access PHI. Naturally, there will be designated associates and healthcare providers who have the rights and needs to access, change and distribute PHI.

HIPAA states that only need-to-know healthcare parties should have access to that particular PHI, but there are no set-in-stone rules for who must be able to access text messaging and other software and systems -- it is up to the Covered Entity to determine who those people are who truly must have access to and power over the PHI in order to care for the patient.

HIPAA does not mandate a particular software that Covered Entities must use, but it does require the following practices for HIPAA compliant text messages:

HIPAA Safeguard

Description

Unique User IDs

PHI should only be accessible to individuals with user identification names and numbers that can be tracked -- unique to each authorized individual. With this safeguard, Covered Entities can hold specific users accountable for their PHI-related activity.

Identification Tokens

To ensure that only authorized individuals access PHI, users must authenticate their identity with unique credentials, such as a password, pin, smart card, key, token, or biometric identifier such as fingerprint or facial recognition. The identifications may include a combination of these elements to guarantee only authorized individuals can send and receive texts with PHI.

Emergency Access Procedures

There must also be urgent access options in case of emergency. Specific staff must be trusted with this responsibility for urgent access should an emergency arise.

Automatic Logoff

Any program containing PHI must automatically log users off after a time of inactivity. This prevents unauthorized users from accessing PHI-laden text messages on a device that was left open.

Messaging Encryption

Standard SMS messaging is unencrypted. Encryption makes PHI unreadable to anyone besides the individual who sends the text message, and the individual who receives it. Many text messaging apps encrypt messages automatically, such as iMessage and WhatsApp (although healthcare providers opt for other secure healthcare messaging platforms). Each message has encryption keys that prevents anyone else from being able to decipher the text. Encryption works both in transit and at rest. With advanced software, end-to-end encryption occurs automatically, so neither party has to worry about their text message being accessed by an outsider.

Audit & Reporting Controls to Ensure HIPAA Compliant Text Messages

HIPAA establishes that Covered Entities and their associates must use audit controls and reporting procedures to regularly view PHI use and distribution. Healthcare facilities must be able to identify any mistakes that have been made, and any security or data breaches that have occurred.

The Covered Entity should have access to track all use of PHI in text messaging, and they should regularly analyze it. There are no rules on which specific auditing or reporting controls must be in place. It is up to each Covered Entity to determine what works best for its staff members.

Whatever controls are chosen must be able to generate reports, including administrative actions concerning PHI in text messages.

Auditing tools can:

Log all user actions related to authentication and message access
Track all administrative and employee access
Time stamp all logs for better record keeping

What if a threat to HIPAA policies or PHI information is found during regular auditing and reporting procedures?

Covered Entities should report all text messages that were sent to or received by the wrong individual to a HIPAA Security Office or IT Department. All audit information and logs relevant to security breaches should be maintained for at least 6 years.

Prevent Modification and Destruction of Personal Health Information

Under the HIPAA Security Rule, “integrity” is mandated, meaning e-PHI is not permitted to be destroyed or altered without authorization.

Humans or software can alter or destroy text messages accidentally. In some cases, these common errors can change treatment and patient records significantly.

HIPAA requires that there are safeguards in place to prevent the alteration or destruction of text messages with sensitive health information. Find out what the most likely mistakes are within your organization -- deleting text messages, destroying or losing storage devices, breaking or losing devices, etc., and find ways to mitigate those possibilities.

Some of these security measures may include workforce training and management, security personnel, workstation and device security, and regular evaluations.

The Patients’ Part: Patients Must Opt-In and Authenticate Identity for HIPAA Compliant Text Messaging

Patients must give their consent, or opt in to receive healthcare secure messages.

Transactional Messages: Transactional messages facilitate, complete or confirm transactions that have already been agreed upon. For example, a text appointment reminder about an appointment that the patient has previously established would be a transactional message.

Transactional messages establish implied consent, meaning you do not need express written consent to send these types of messages to your patients, although it never hurts.

Here are a few examples of transactional text messages:

Appointment reminders
Regular checkup reminders
No-show or missed appointment reminders
Check-in or “room ready” reminders

Promotional messages: Promotional messages include all other texts that do not involve previously established transactions.

Promotional messages require express consent, meaning you will need written or verbal consent from your patients to send these messages.

Here are a few examples of promotional text messages:

Encouragement to schedule next appointment
Advertisements of new products and services
Tips about healthcare
Patient satisfaction surveys or polls

According to TCPA, every provider that offers HIPAA text messaging will need to create a procedure in the office that allows patients to opt-in and opt-out of messaging. You can use a HIPAA compliant messaging app that comes with opt-in and opt-out software, or devise your own methods.

A patient can opt-in by signing a consent form when they are in the office. A patient should be able to opt-out by texting the word “STOP” at any time, or by requesting to opt out of healthcare secure messaging while in the office.

There must also find a way to get confirmation that any communication containing ePHI only goes to its intended recipient.

First and foremost, double and triple-check the phone number before sending any HIPAA text. Then, before sharing any PHI, send a text message to confirm the recipient.

Use Secure Data Centers

Onsite and cloud data centers must be secure. There are both traditional local server and cloud-hosted solutions. There are vendors who offer cloud-hosted solutions, but it is important to do the necessary research and consider the following aspects of a potential data center:

Server and network infrastructure and whether they cooperate with IT requirements
Multiple and geographically distributed data centers
Full redundancy and failover of the application
Maturely handled data archiving
Record retrieval for legal requests
Accordance with data retention compliance policies
Historical data availability with detailed contract language

In summary, when choosing a data center for HIPAA compliant messaging, select a well-developed product approved by your IT specialists.

Always Question Content

When composing HIPAA compliant text messages, it’s all about the content you choose. With express patient consent and the right technology, it is possible to send PHI, but it is optimal to avoid texting PHI when possible. For example, you can send a text with an appointment reminder without specifically listing the reason for the appointment, or including any of the following PHI:

Names
Dates
Phone and fax numbers
Geographic location
Social Security numbers
Account numbers
Web URLs
License numbers
Vehicle identifiers
Device identifiers or serial numbers
Internet protocol addresses
Insurance numbers
Full face photos
Biometric identifiers -- eye scans, fingerprints, face scans
Unique identifying numbers or codes

It is possible to send general reminders and information without involving personal identifiers.

Templates for Formulating HIPAA Compliant Text Messages

Here are a few examples of standard healthcare text messages that will aid you on your path to HIPAA text messaging.

Appointment Reminder Template:

Don’t forget about your appointment with {Healthcare Organization Name} on {Date}. Reply “Confirm” to confirm your appointment or “Cancel” to cancel your appointment. Contact {Organization Phone} if you have questions about your upcoming visit.

Room Reminder Template:

You have successfully checked in, and your room is now ready. When you are ready, please make your way to room number {Room Number}.

Missed Appointment Template:

We missed you today at {Organization Name}. To reschedule the appointment you missed with us on {Date} at {Time}, contact us at {Organization Phone}.

COVD-19 Guidelines Template:

Please wear a mask to your upcoming appointment at {Organization Name}. Call to check-in when you are in the parking lot. A nurse will meet you at your car to take your temperature, inquire about symptoms, and walk you into the office.

It’s essential that all employees, affiliates, physicians and contractors are thoroughly trained to use HIPAA compliant text messages, both during a nationwide pandemic and beyond. One of the easiest ways to ensure HIPAA compliance is with a HIPAA compliant messaging app.

Best HIPAA Compliant Texting Apps

Software plays a key role in making HIPAA text messaging possible. Normal SMS messaging cannot safely carry healthcare information. If you are hoping to jump into the future of medicine and begin permitting HIPAA text in your practice, the right HIPAA compliant texting app will streamline the process.

You need a safe electronic network for healthcare secure messaging. HIPAA compliant texting apps will adequately protect personal information. A HIPAA compliant texting app can be used by physicians, nurses and hospital employees to exchange information with patients and each other.

You should select an app with the following features:

Advanced password protection for all users
Limitations on personal health information access, so that only certain staff can access it (for example, employees performing billing doesn’t need access to a patient’s medical records, whereas a nurse needs medical records but not financial details)
Encryption of all text messages, which is the strongest form of digital protection for text messages, converting data into an unreadable form
A Business Association Agreement (BAA) -- this agreement holds the app liable to repercussions of HIPAA violations
Audit controls to monitor when and how long PHI is accessed

It is the Covered Entity’s job to verify that all of the app information complies with HIPAA, because government agencies do not vet many of the apps that claim to provide HIPAA compliant messaging.

Look for the following requirements for securing PHI: Confidentiality, integrity and availability. Failure to use a truly HIPAA compliant texting app can constitute a HIPAA fine.

What are the Best HIPAA Compliant Texting Apps?

In no particular order, here are some of the top HIPAA compliant messaging apps. Each app has unique features and benefits. Before downloading any of these software suggestions, be sure to conduct your own research to determine whether or not the particular company has a BAA, and if the program is the right fit for your needs.

LumaHealth

From patient scheduling to patient communication, LumaHealth ensures that all text messaging remains HIPAA compliant.

Easy access to data for authorized individuals
Capacity to identify best practices and areas for improvement within your organization
Automated post-visit outreach triages that calculate patient feedback and Net Promoter Scores in real time
Contactless check-in processes like collection of mobile insurance uploads and authorizations
Virtual visits included -- patients can join with one click, no app required
Secure chat options
Broadcast messaging
Patient feedback
Automated campaigns

Luma charges a flat monthly fee that will vary a bit based on your feature selection, as well as your provider or bed count. You can request a demo or price quote on their website.

TigerConnect

One of the leading HIPAA compliant texting apps for healthcare secure messaging. Two of its biggest selling points are its simplicity and ease-of-use.

TigerConnect is one the only text messaging clinical apps with HITRUST CSF certification, meaning it meets various security standards set by an organization led by leaders in the healthcare industry.

TigerConnect offers the following outstanding features and more.

A desktop app to add another line of communication
Syncing of all messages from phone, computer and other devices
Notifications when recipients open and read messages
A recall function: when a message is sent to the wrong person, the message can be recalled
Self-destruction of all sent messages after a designated amount of time
The patient does not have to have TigerConnect to keep messages secure
256-bit AES encryption
Secure initiation of medication reminders to patients
Training webinars upon request
No one can copy, paste or forward TigerConnect messages
Tightly encapsulated messages that can travel only within a defined private network in accordance with TLS protocol
Integration of major file sharing programs, including OneDrive, ShareFile, and Dropbox
Administrative functions to control settings on sending and receiving messages
User management for preparing a Bring Your Own Device Policy
Capacity for remote wiping or locking devices
Backs up its security measures with a $1 million guarantee

TigerConnect creates custom price quotes based on your business’ unique needs. Pricing starts at just $10.

Zinc

Zinc is another HIPAA compliant messaging app that provides the high-level security and administrative controls necessary for healthcare secure messaging. It is mobile-first and offers a familiar and easy experience. Zinc provides a streamlined platform for both mobile and desktop.

Some of the standout features of Zinc include:

Text, voice and video messaging
Instant alerts and communication with push alerts for groups and individuals
“Walkie-talkie” voice calling
Read receipts
Administration tools that give IT departments over usage
File and location sharing
Military-grade encryption
Certificates from trusted organizations
Security standards including HIPAA, SOC-2, FIPS, 140-2 and more
Salesforce CRM for quick conversations
Automatically pull information from over 500 business services, including brand mentions on social media, weather warnings, patient lab results and more
Easy onboarding process
Role-based tiers for multiple admins within your organization based on responsibility
Custom alerts to employees and groups, and tracking for who has received which alerts

Zinc costs about $10/user/month for up to 1,000 users. After 1,000 users, custom pricing is available. It works across all apps and devices, and conversations will sync on all devices.

Notifyd

Notifyd can be used on virtually any device, and guarantees end-to-end encryption for all users. It seamlessly integrates with many leading home healthcare software solutions. Notifyd offers:

TLS encryption for information in transit and AES for data at rest
No data stored on end-users mobile device
Users are granted temporary access to securely view documents
Requests for data have required authorization checks
Establishes mobile device management policies, procedures and strategies for a truly HIPAA compliant text app
Administrators have power to cut access for terminated employees, without erasing threads of communication for HIPAA data retention requirements
Scheduling capabilities that are ideal for hospitals or home healthcare providers to coordinate employee shifts
Safe sharing of videos, pictures and files
Popular HIPAA compliant cloud document storage solutions
Biometric authentication
Idle screen protection

Notifyd customers can pay a month-to-month subscription of $350 per branch, or a yearly subscription of $315 per branch each month.

Providertech

Providertech has developed a HIPAA compliant texting app with encryption to protect sensitive information. It emphasizes expanding your service population by helping you reach underserved patients and conduct targeted outreach.

Providertech offers something for everyone.

HIPAA compliant texts, photos, and documents
Users must authenticate identity before accessing text messages
Integration with most EHRs, practice management systems, and organizational directories
Adherence to HITRUST CSF Assurance Program security requirements
Utilizes Bandwidth, which is a tool that allows providers to provision numbers on the fly
Send SMS messages with little programming needed
Messages regarding chronic disease care, preventative care, tracking outstanding orders, and custom communications
Deliver test results automatically
Online reputation management for doctors, which encourages satisfied patients to leave positive reviews
Real-time service recovery alerts, so that ratings beneath your given threshold are immediately sent to your service recovery team for follow-up

Providertech has a fully customizable pricing solution to best meet the needs of your organization.

OhMD

Trusted by over 300,000 healthcare professionals. It claims to be the simplest two-way SMS texting on the market when it comes to HIPAA compliant and healthcare secure messaging -- no app necessary! OhMD includes:

HIPAA text capabilities, along with forms, surveys, images and files
Over 50 EHR integrations
Two-way SMS patient texting available in Video Visits
Patients receive a text message from their provider with a link that launches video calls
Clinical and team communication
Website chat
Appointment reminders
Online reputation management
Desktop and mobile access
Unlimited colleague chats
Unlimited patient messages
Two-way SMS texting with patients
Basic and advanced attachments
Availability settings
Premium support
Video chat capabilities
Text your landline
Forms
Automated outreach
Broadcast text messages

OhMD offers three plans, including Basic (which is free!), Plus (from $7/user/month), and Reach (custom pricing). Each plan offers a varying list and level of features.

Spok

Spok Mobile is part of Spok Care Connect, which is a complete healthcare technology platform. Spok will work alongside you to develop a custom software-adoption plan to help all users understand Spok fully and use it successfully. With Spok, you can:

Access your hospital’s full directory of contact and on-call information
Send secure text messages, photos and videos
Secure logging and tracing of all important communications
Data security measures including encryption, application lock, automated message removal, password-protected inbox, and remote device wipe capability
API allows integrations with other third-party mobile applications
A full audit trail of messages
Sent and read receipts
A Device Preference Engine (DPE) for a solution to ensure messages are routed to the correct people and proper devices, with routing profiles labeled “Low,” “Normal,” and “Urgent.”

For a fully-integrated healthcare technology experience, try Spoke. Spoke will work with you to determine pricing based on your goals and needs.

More HIPAA in Telehealth FAQ

It’s exciting to move into this new era of healthcare-on-demand, but it certainly has its challenges. Here are some more frequently asked questions about HIPAA and telehealth.

What about other HIPAA Compliant Messaging Avenues?

What about healthcare messaging via social media, apps, websites and other platforms? Is it possible, and how can it be made HIPAA compliant?

HIPAA and Social Media

The HIPAA Journal explains that the HIPAA Privacy Rule prohibits the use of any PHI on social media networks. However, social media channels are permitted to be used to post:

Health tips
Details of upcoming events
New medical research
Staff bios
Marketing messages

There have been at least 50 HIPAA violations on social media since 2012, but those are only the ones uncovered by ProPublica. There were certainly countless more that went unfound.

In most cases, HIPAA violations on social media did result in disciplinary action, including terminations and even criminal charges. Some of the most common social media HIPAA violations include:

Posting any images or videos of patients without written consent
Posting facts, gossip or hearsay about patients
Posting any information that might allow others to identify a patient
Posting pictures and videos inside a healthcare facility which include visible Personal Health Information or patients

These violations occur not only when sharing posts publicly, but also within private groups.

An employee that tends to start posting on social media must receive thorough training beforehand. Refresher training should also be provided at least once per year, because HIPAA is easily violated on social media.

This training should include:

An explanation of clear procedures on social media use and rules
Communicating possible penalties for social media HIPAA violations, like licensure loss, termination, and criminal penalties
Examples of what social media posts are HIPAA-approved, and which are not
An expert to contact with any social media questions -- perhaps someone in the compliance department
How to keep personal and corporate accounts fully separated
Approval process before any posts are submitted (they may need to go through the compliance department prior to posting)
Encouraging staff to report potential HIPAA infractions
Training not only on the posts but also on the comments

It is key to monitor the social media accounts, and keep controls and auditing abilities to flag potential HIPAA violations. Put appropriate access controls in place so that only authorized individuals can use business accounts.

Maintain a record of all social media posts, and include social media accounts in your organization’s risk assessments. One more important note: It is critical to moderate the comments. HIPAA infractions or unprofessional actions can occur instantly in a comment.

Live Chats

HIPAA compliant live chat apps can be used to communicate with patients and potential patients on the organization’s website. Remember, the proper software is essential to ensure HIPAA compliant live chats.

Most of the HIPAA compliant messaging apps listed above also provide live chat capabilities.

How to Ensure HIPAA Compliant Video Chat

Texting, video chat, phone appointments -- they’re all brand-new to most of us, and it’s nice to have the basic guidelines on hand. Here are the keys to maintaining a safe and HIPAA compliant video chat with your patients.

Encryption should be used for HIPAA compliant video chat data
Access controls must be used to ensure that individuals only have access to the specific PHI they need to perform their jobs and treat their patients
Audit controls must keep PHI from being accessed without the right intent, so an audit log should be kept

Public-facing messaging systems cannot be used for healthcare video chats or communication (think Facebook Live, TikTok, and Twitter), but even some non-public facing platforms (like Google Hangouts, Skype, or Cisco) may not be completely HIPAA approved or healthcare appropriate.

Most of the aforementioned HIPAA compliant texting apps also provide HIPAA compliant video chat options, along with all of the tools described above. A few other HIPAA compliant video chat apps include:

Zoom for Healthcare
SecureVideo
GoToMeeting
Doxy.me
SimplePractice Telehealth

Text Patients with HIPAA Compliant Texting on the JOY MD Mobile App.