Article is a 4-minute read
We all know we shouldn’t text and drive, don’t we? That said, now let’s explore how texting has evolved in healthcare.
The Rise of Text Messaging in America
On June 19, 1934, United States (U.S.) President, Franklin D. Roosevelt, signed the Communications Act of 1934 into law.1 This act established the Federal Communications Commission (FCC) agency that regulates all interstate and foreign communication by wire and radio, telegraphy, telephone and broadcasts such as Short Message Service (SMS) texting.
During the past decade, all forms of electronic communication have flourished, and SMS texting has been a key driver of that growth. There are over 378 million wireless subscribers in the U.S., and smartphone users are sending and receiving over 1.9 trillion text message annually.2 According to the International Smartphone Mobility Report by mobile data tracking firm Infomate, Americans allocate over 30 minutes a day for their texting activities. Now that’s a lot of texting!
The FCC Protects Consumer Privacy with TCPA Legislation
Under the direction of the FCC, the Telephone Consumer Protection Act of 1991 (TCPA) became law.3 The statute was created to protect consumers from unsolicited telemarketing calls, faxes and text messages.
On February 15, 2012, the FCC revised its TCPA guidelines, further restricting telemarketing calls.4 The TCPA requires the prior written consent for most automated telemarketing communications, particularly those made to wireless phones. However, healthcare communication has its own set of rules.
Healthcare Exemptions to the TCPA
The American Association of Healthcare Administrative Management (AAHAM) lobbied for an exemption from the TCPA’s prior express consent rule for “healthcare-related messages” that is subject to the Health Information Portability and Accountability Act (HIPAA). The FCC issued a Declaratory Ruling and Order5 on July 10, 2015, addressing several provisions of the TCPA.
The HIPAA exemption in the TCPA rule clarifies the requirements for calls and texts to wireless devices as well as calls to residential landline phone numbers. Under the exemption, communications that deliver a healthcare message made by or on behalf of a “covered entity” or its “business associate,” as defined in HIPAA6, do not require the prior written consent of the party called.
The FCC further clarified that when an individual provided his or her wireless phone number to a healthcare provider, it constitutes permission to contact that number as long as the calls or texts are limited in scope to the purpose of the number provided.7 Healthcare providers can rely on this provision as constituting prior expressed consent under the TCPA.
Legislative changes to the TCPA have opened the door for healthcare providers to adopt texting as an uncomplicated and reliable way to communicate with their patients. Texting now affords healthcare providers a cost-efficient avenue to communicate internally between staff members and externally between other physicians, hospitals and patients. This emerging business strategy offers providers new ways to improve patient relations and reduce operating expenses.
TCPA Requirements for Healthcare Text Messaging
Healthcare providers who deliver exempt “healthcare messages” must meet stringent requirements to remain in compliance with the TCPA. The following are seven key actions that require adherence:
- Text messages must be sent to the wireless telephone number provided by the patient.
- Text messages must state the name and contact information of the healthcare provider.
- Text messages are strictly limited to the purposes permitted and must not include any advertising or promotional information; may not include accounting, billing, debt collection or other financial content; and must comply with HIPAA privacy rules.
- Text messages are limited to 160 characters or less in length.
- A healthcare provider may initiate only one text message per day, up to a maximum of three messages per week.
- A healthcare provider must offer recipients easy means to opt-out of future messages.
- A healthcare provider must honor the opt-out requests immediately.
It is also important to note that in situations where a patient is incapacitated and unable to provide a phone number directly to a healthcare provider, a third party HIPAA-covered intermediary may provide a number. Consent by a third party on behalf of an incapacitated individual will end when the individual is no longer incapacitated, at which time the provider must get prior express consent from the individual being called.
Risks of Text Messaging with PHI
Every form of HIPAA compliant communication encompasses some level of risk. Communication by text with patients and other clinicians provides a divergent set of risks that, like other communication methods, requires adhering to compliant practices to ensure the privacy and security of protected health information (PHI).
Unlike some electronic communications that do not store interactions between parties, text messages can be stored on wireless devices indefinitely so it poses a risk that unauthorized third parties could access PHI. Also, even though wireless carriers encrypt text messages, there are substantial security threats where sophisticated computer hackers may intercept and decrypt messages. Hackers do not discriminate and will focus on any communication weakness or vulnerability they can access. If healthcare providers do not follow stringent security protocols, texts sent and received from colleagues and consumers become an easy target for cyber criminals.
Providers cannot mitigate risks if they do not identify and carefully document threats to using electronic methods of sending PHI. Examples of threats include:
- Theft or loss of the mobile device
- Improper disposal of the mobile device
- Interception of transmission of electronic PHI by an unauthorized person
- Lack of availability of electronic PHI to persons other than the mobile device user
Security Measures to Protect Text Messages with PHI
If a provider is considering using text messaging as a way to communicate with patients, developing a risk analysis and management strategy to lessen the chance of a breach is of paramount importance. Based on the outcome of a risk analysis, a provider is better able to implement suitable controls to protect the organization.
Developing a proper risk analysis and strategy requires performing a systemic evaluation across the entire organization. Regardless of the method that transmits or shares PHI, it is important to identify all potential gaps in security. This requires the scrutiny of weaknesses that may exist throughout the system. Threats can come from organizational applications, internal work processes or involve staff, partners or vendors. In addition, threats can vary depending on the makeup of a provider’s organization. Vulnerabilities can exist internally, externally, environmentally and physically. When evaluating the risk of a PHI breach in your organization, consider the overarching areas of exposure, threats and risks:
- Digital: (e.g., weak passwords);
- Physical: (e.g., not shredding PHI);
- Internal: (e.g., employees);
- External: (e.g., hackers);
- Environmental: (e.g., fires);
- Negligent: (e.g., unknowing employee); and
- Willful: (e.g., disgruntled former employee).
When implementing security protocols specifically for texting, providers should consider adding the following controls to their security plan and policies:
- Creating a policy prohibiting the texting of PHI or limiting the type of information shared via text message
- Carrying out workforce training on the approved use of job-related texting
- Implementing password protection protocols for mobile devices that create, receive or maintain text messages with PHI
- Keep an inventory of all mobile devices used for texting PHI
- Properly disposing of mobile devices that have been used for the texting of PHI
- Ensuring that all texts that include PHI are notated in the medical record
When executing security training, it is important that it should be easy to understand and should support the policies and procedures developed and put in place in response to the risk analysis and risk management strategy.
Finally, every provider organization should train its workforce so they understand their mobile device policies and procedures and how to follow them.
Mobile messaging and texting has become a key industry initiative. Healthcare stakeholders have embraced mobile communication as evidenced by their participation and volume of text conversations. With the advent of the Affordable Care Act, the demand for mobile messaging as a patient engagement tool has steadily increased. It is apparent that mobile messaging, including text, web and chat communication, will ultimately be a mainstream healthcare communication method.
Strong communication is essential for care coordination, and the use of proper communication tools and channels help providers communicate and provide care across the entire wellness continuum. Texting is only going to evolve, and health organizations must consider the various risks and take the appropriate measures to ensure the safety of PHI.
Phil C. Solomon is the publisher of Revenue Cycle News, a healthcare business information blog and serves as the Vice President of Global Services for MiraMed, a healthcare revenue cycle outsourcing company. As an executive leader, he is responsible for creating and executing sales and marketing strategies which drive new business development and client engagement. Phil has over 25 years’ experience consulting on a broad range of healthcare initiatives for clinical and revenue cycle performance improvement. He has worked with industry’s largest health systems developing executable strategies for revenue enhancement, expense reduction, and clinical transformation. He can be reached at firstname.lastname@example.org
- United States Publishing Office, U.S. Code › Title 47 › Chapter 5 › Subchapter I › § 151 https://www.gpo.gov/fdsys/search/search.action?na=&se=&sm=&flr=&ercode=&dateBrowse=&govAuthBrowse=&collection=&historical=false&st=citation%3A47+USC+151&psh=&sbh=&tfh=&originalSearch=&fromState=&sb=re&ps=10&sb=re&ps=10
- Year-End U.S. Figures from CTIA’s Annual Survey Report http://www.ctia.org/your-wireless-life/how-wireless-works/annual-wireless-industry-survey
- Federal Communications Commission Washington, D.C. 20554 In the Matter of Rules and Regulations Implementing the Telephone Consumer Protection Act of 1991, https://apps.fcc.gov/edocs_public/attachmatch/FCC-12-21A1.pdf.
- FCC Adopts Rules to Strengthen Consumer Protections Against Unwanted Telemarketing “Robocalls” to Wireline and Wireless Phones, https://www.fcc.gov/document/fcc-strengthens-consumer-protections-against-telemarketing-robocalls-0.
- Rules and Regulations Implementing the Telephone Consumer Protection Act of 1991; American Association of Healthcare Administrative Management, Petition for Expedited Declaratory Ruling and Exemption; et al, https://www.fcc.gov/document/tcpa-omnibus-declaratory-ruling-and-order
- Summary of the HIPAA Privacy Rule, https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/
- Free-To-End User Financial and Healthcare Alerts: The FCC Applies Common Sense, With Limitations (FCC TCPA Order Report Parts 7 & 8 of 11) By Blaine C. Kimrey, Lisa M. Simonetti & Bryan K. Clark, http://www.mediaandprivacyriskreport.com/2015/09/free-to-end-user-financial-and-healthcare-alerts-the-fcc-applies-common-sense-with-limitations-fcc-tcpa-order-report-part-7-of-11/