Texting Patients: Rules of the Road
This post provides guidance from APA’s Ethics Committee and APA Administration. Read additional information about HIPAA here and be aware that the HHS Office of Civil Rights is resuming enforcement of HIPAA-compliant telecommunications technology for telehealth on August 9, 2023.
Using text messaging to communicate with patients can be an easy and effective form of communication for many psychiatrists, and texting is often a preferred form of communication for patients. However, psychiatrists must be aware of relevant rules and regulations before hitting “send.” While there are additional considerations from clinical and technological perspectives, below, we receive ethical and legal parameters including the HIPAA Privacy and Security Rules and the Telephone Consumer Protection Act.
HIPAA Privacy and Security Rules
HIPAA Privacy and Security Rules both place restrictions on when, how, and with whom electronic patient health information (ePHI) may be shared.
There are many misconceptions about what constitutes PHI. In general, PHI is any health information held by a covered entity – which are health plans, systems, or clinicians that electronically submit health information for any reason – that is maintained in the same record set as individually identifiable information (i.e., name, an address, phone number, etc.). PHI includes information that concerns a patient’s health status, the provision of health care, or payment for said health care that is associated with an individual. Whenever any identifying information is associated with a forthcoming appointment or a treatment plan, this also would be considered PHI under HIPAA. In other words, information is PHI when it tells you who is using health care and for what reasons. Any other non-health information included in the same record set assumes the same protections as the health information. However, when non-health information is maintained outside the record set, the protections do not apply.
The HIPAA Privacy Rule requires covered entities to take reasonable steps to ensure the confidentiality of communications with patients; to notify patients of their uses of their ePHI; to keep track of such uses; and to provide patients with documentation regarding privacy policies and procedures. The Privacy Rule allows physicians to text (or email) patients as long as physicians apply appropriate safeguards when doing so, including:
- Double-checking the patient’s phone number to ensure accuracy before sending
- Sending a text to the patient to confirm the phone number before sending a message with ePHI
- Limiting the type or amount of information disclosed through text
- Using text messaging platforms that allow for end-to-end encryption*
- Alerting the patient to the relative risks of using encrypted or unencrypted text messaging to communicate sensitive information
* As a note, SMS text messages cannot be encrypted. HIPAA allows for patients to text their physicians with unencrypted text messages ONLY IF the patient is warned of the risks of communicating via unencrypted text messaging, and if the patient gives their consent to use unencrypted texts to communicate with their physician. Both the warning and consent must be documented.
To learn more about the HIPAA Privacy Rule, you can visit the Department of Health and Human Services (HHS) website.
The HIPAA Security Rule can also apply when texting with patients. While the Privacy Rule provides guidance on how ePHI must be stored, maintained, and transmitted, the Security Rule establishes security standards to prevent a breach of patients’ ePHI. These standards include Administrative, Physical and Technical components. To learn more about these standards, visit APA’s Health Insurance Portability and Accountability Act (HIPAA) website or the HHS HIPAA website.
One way to assess whether you are in compliance with the Security Rule is to ask yourself what would happen if your work phone or laptop got lost, stolen, or hacked. Would patient information be accessible to the thief? For this reason, HIPAA-compliant messaging platforms include authentication and identify management processes, encryption and decryption, and even the ability to remotely wipe data from a device.
TCPA and Facebook, Inc. v. Duguid
The Telephone Consumer Protection Act (TCPA) places restrictions on the use of automatic dialing systems and prerecorded voice messages. The TCPA defines automatic dialing systems, or autodialers, as “equipment which has the capacity -- (A) to store or produce telephone numbers to be called, using a random or sequential number generator; and (B) to dial such numbers.” Under the TCPA, all non-emergency calls, including text messages, placed via autodialers require some form of consent if placed to a wireless telephone number. The TCPA is primarily enforced through a private right of action, as any person who has received an autodialed call or text message without the requisite consent can file suit in state or federal court.
In April 2021, the US Supreme Court clarified what counts as an autodialed call in Facebook, Inc. v. Duguid. In short, only systems that randomly or sequentially generate telephone numbers are autodialers. Because almost no modern dialing equipment or text messaging platform currently has this capability, litigation exposure to organizations using texting platforms to communicate with large numbers of customers is minimal. Under the Supreme Court’s interpretation, even text messages sent automatically and in bulk would not be considered autodialed under the TCPA where the texting platform cannot separately generate telephone numbers to be messaged.
What does this mean for physicians? Under the Supreme Court’s reasoning, sending appointment reminders via text or phone call to patients is not a violation of TCPA, even if the practice or healthcare system did not have express consent to do so. However, because appointment reminders still constitute health information, there are other regulations and obligations at play. Therefore, it is still best practice for physicians to obtain express written consent from their patient before providing such appointment reminders via text message or prerecorded phone calls. Patient consent can be obtained in the patient registration forms; for example, when patients provide their phone number at intake, intake forms can prompt patients to check a box or take some other affirmative action to consent to receive appointment reminders via text message and/or prerecorded phone call.
What are the ethical considerations of texting patients?
In addition to complying with the relevant regulations, it is important that physicians are aware of their ethical obligations when texting patients. For more information, please reference Opinions of the Ethics Committee on The Principles of Medical Ethics(.pdf). Navigate to Opinion D.18, an opinion recently issued by the APA Ethics Committee which provides guidance on the ethical considerations of texting patients.