It’s a question I get fairly often, “Does asking for feedback or reviews through text violate HIPAA?” Many wonder if texting alone is a violation of HIPAA.
I’m not a dentist or a doctor, but I’ve done a fair bit of research into the matter to answer this important question.
I’ve worked with many dentists and physicians over the span of my career in marketing, publishing, reputation management, and software development. I like working with dentists because they challenge me. Dentists often need unique solutions to common problems.
Often, a marketing or reputation management solution that works for a florist won’t work for a dentist.
If you work in dentistry, you know this all too well. You face stiff competition, and you handle your patients’ health on a daily basis. You have marketing needs, but you also need to protect the sensitive information of your patients. This is both a legal necessity and necessary to respect that trust patients have given you.
I’m neither a doctor nor a HIPAA compliance officer. I’m not a lawyer, either. I can’t give you any legal or medical advice, but I can tell you what my research has shown in regards to HIPAA and text messaging.
Why Texting Works for Reviews
Here at RevenueJump, we find sending text messages works perfectly for review requests. In fact, it leads to far greater conversion than other more traditional methods. If everything a business’ client or patient needs to leave a review is included in a simple text message, they’re more likely to leave a review– especially if they had a positive experience!
It’s also automated, so it doesn’t take time away from busy business owners and marketing teams. If you work in the dental industry, you’re busier than most. That’s why sending text message review requests is ideal for dentists.
My work with dentists was a big inspiration for starting RevenueJump in the first place. It’s a hyperlocal and competitive field, and reviews are a very big deal.
If it’s automated and it helps you get a leg up on your competition, both in the search results and in the scope of your reputation, it can only be seen as a positive in my eyes.
But, as a dentist, you have valid concerns. Does an automated text message sent to your patient violate HIPAA? Does it include confidential information that might get you into trouble?
I wanted to find the best possible information I could in order to set your mind at ease.
The Risks of Texting Patients
According to HIPAA Journal, “The fine for a single breach of HIPAA can be anything up to $50,000 – per day the vulnerability responsible for the breach is not attended to.”
That’s serious money, and those HIPAA breaches could mean serious repercussions for your practice and your reputation. I understand the hesitation and the concern. You don’t want to send text messages to your patients all willy-nilly without carefully considering the consequences.
Most dentists and other medical professionals use text messaging to communicate with their teams, and many use text messaging to communicate with patients, as well (think appointment reminder texts). You definitely can text your patients; the potential issues surround specifically what information is sent and who has access to it, and that’s where other companies have run into problems.
Those problems come from sending Protected Health Information (PHI) over text message.
When Does Texting Violate HIPAA?
Anytime you send PHI over text message without proper security measures in place, it’s a potential violation of HIPAA.
Here’s HIPAA Journal’s explanation:
“The technical safeguards of the HIPAA Security Rule are the most relevant towards answering the question “When is texting in violation of HIPAA?” This section of the HIPAA Security Rule concerns access controls, audit controls, integrity controls, methods for ID authentication, and transmission security mechanisms when PHI is being transmitted electronically. Among the requirements are:
- Access to PHI must be limited to authorized users who require the information to do their jobs.
- A system must be implemented to monitor the activity of authorized users when accessing PHI.
- Those with authorization to access PHI must authenticate their identities with a unique, centrally-issued username and PIN.
- Policies and procedures must be introduced to prevent PHI from being inappropriately altered or destroyed.
- Data transmitted beyond an organization´s internal firewall should be encrypted to make it unusable if it is intercepted in transit.”
Sending any PHI in an unsecure electronic format was outlawed in 2013, when changes were made to the HIPAA Privacy and Security Rules.
If you visit either of those two articles I linked to in this section, you’ll see that HIPAA recommends you invest in a secure patient messaging system beyond a text or SMS message to send any mobile device correspondance to your patients.
While you can discuss specifics of someone’s PHI over the phone, you can’t do the same over text message, because there’s no way to ensure you’ve reached the correct recipient, and because text messages stick around even after the conversation has ended — unlike a phone call.
So, can you text your patients at all without violating HIPAA? Can you send review requests to get a leg up on the competition and cement your five-star reputation?
How to Send Safe Texts
“To conduct the safest texting practices possible, physicians should avoid including PHI in their text messages whenever possible. Additionally, they should ensure that their phones are guarded with adequate security measures.”
That pretty much lines up with what HIPAA Journal has to say, also:
“So, for example, it is okay to send messages by text provided that the content of the message does not include “personal identifiers”. It is okay for a doctor to send text messages to a patient, provided that the message complies with the “minimum necessary standard”. It is also okay to send messages by text when the mechanisms are in place to comply with the technical safeguards of the HIPAA Security Rule.”
At RevenueJump, our review requests don’t contain any PHI. We make no mention of your patient’s condition, the treatment you provided, the cost of care, or even when their next appointment is. Our messaging system is secure — as is our website. And, of course, RevenueJump never has access to any PHI.
Our software simply sends the patient a one-click survey pertaining to their last visit without revealing any PHI. If they had a negative experience, RevenueJump helps connect them with the practice to mitigate problems before they can be posted somewhere public (like on Yelp or Vitals).
On the other hand, if their experience was a positive one, RevenueJump gives them an option to write a review on the public platform of your choice (and there’s SEVERAL to choose from).
Of course, we’d like positive experiences to be shared by those that are willing, and RevenueJump is the best platform to make that happen, while also protecting the sensitive relationship between doctors and their patients.
For further reading, I recommend this excellent piece on text messaging and HIPAA compliance at Modern Medicine.
Asking patients for their feedback can be a delicate subject. You can contact your patients via text and email, so long as PHI is never shared. While I’m neither a lawyer or a HIPAA compliance officer, I take your commitment to HIPAA and your patients seriously.
If you still have questions about any of this, or are unsure, I recommend talking to your HIPAA compliance officer. I’m more than willing to speak to both you and your advisors so we can discuss the particular details of our service. We can even offer custom messaging to better suit the unique privacy needs of your practice, as needed.
I’m always willing to talk and hear your concerns regarding HIPPA compliance and text messages. Your questions and feedback are what helps RevenueJump evolve and improve. I want to make reputation management easy for good dentists, and I want it to be HIPAA compliant every step of the way.
Here’s to the continued growth of your dental practice, and its 5-star reputation!