Healthcare Compliance Part 4: Text Messaging
Part 4 of our healthcare compliance series is here, text messaging, why it’s good, and how to do it legally!
With 79% of cell phone owners stating that they use text messaging, it’s understandable why physicians would want to tap into this potent communications medium. And most are putting text messaging to good use including:
- Increasing patient communication and touchpoints when physicians are unable to physically spend as much time with the patient as they would like.
- Creating opportunities for doctors and staff to answer patient questions.
- Checking progress on treatment and motivating patients to stick with treatment.
There is also a substantial financial opportunity for most medical practices. According to the Medical Group Management Association (MGMA), the national patient “no-show” rate average ranges from 5 to 7%. Running the numbers on 4 no-shows per day and an estimated $150 value for a typical appointment demonstrates that a practice can be losing $144,000 annually, based on a 5 day work week.
Texting within the medical community is not off-limits. In fact, the Joint Commission announced that text messaging can even be used to submit orders within certain parameters. Regulatory agencies are accepting the fact that text messaging has a place in medicine, but strict standards must still be followed. Two areas where you need to pay close attention are HIPAA and the FTC.
Text messaging is HIPAA compliant under certain circumstances and provided that “administrative, physical and technical safeguards [exist] to ensure the confidentiality, integrity, and security of electronically stored or transmitted private health information.”
Let’s start with some basic requirements that every healthcare organization should be following in regards to texting:
- Processes and procedures should be developed to contain who has access to private health information and control over how it is used. Procedures should also be developed to address any breach to private health information.
- Risk assessments should be conducted periodically to identify any risks to sensitive patient data.
- Encryption and physical data protection should be established for individuals who use their personal mobile devices to communicate private health information or access sensitive patient data as part of their job.
- Policies should be developed to deal with lost, stolen or disposed mobile devices, included how to delete information remotely.
- A system should be in place to ensure private health information cannot be maintained on the local storage of mobile devices used by employees and subcontractors.
A healthcare organization should only be using messaging technology that is designed to be HIPAA compliant. Such technology includes features such as easy-to-use auditing and reporting tools to identify usage that is against defined HIPAA policies. Also necessary is the ability for the administrator to wipe all data from a mobile device that is lost or stolen per the policy mentioned above.
FTC and CAN-SPAM
In 2003, the Federal Trade Commission enacted the CAN-SPAM Act. This law, designed to protect the privacy of consumers, defined that text messaging campaigns must provide an ability for recipients to opt-out and that those requests must be processed in a timely manner. While seemingly simply, this requirement carries significant ramifications, as penalties for non-compliance can reach up to $16,000.
Want the shortened version? Watch our video below, on Text Message Compliance in Healthcare: