Skip main navigation
Close Drawer MenuOpen Drawer Menu
APA Publishing Logo

The American Psychiatric Association (APA) has updated its Privacy Policy and Terms of Use, including with new information specifically addressed to individuals in the European Economic Area. As described in the Privacy Policy and Terms of Use, this website utilizes cookies, including for the purpose of offering an optimal online experience and services tailored to your preferences.

Please read the entire Privacy Policy and Terms of Use. By closing this message, browsing this website, continuing the navigation, or otherwise continuing to use the APA's websites, you confirm that you understand and accept the terms of the Privacy Policy and Terms of Use, including the utilization of cookies.

×
Back to table of contents
Government & LegalFull Access

Texting Patients: Before You Hit ‘Send’

Published Online:24 Jul 2023https://doi.org/10.1176/appi.pn.2023.09.9.36

Abstract

Is it OK to communicate by text with your patients? Members of APA’s legal team describe several privacy and security rules to help you determine what’s best.

Hands holding a cell phone.
iStock/ Delmaine Donson

Text messaging can offer an easy and effective way for patients and psychiatrists to communicate, but texts involving medical information come with legal and ethical risks. Below are several privacy and security rules to keep in mind before sending text messages to patients.

HIPAA Privacy and Security Rules

HIPAA Privacy and Security rules both place restrictions on when, how, and with whom electronic protected health information may be shared.

There are many misconceptions about what constitutes protected health information. In general, protected health information is any health information held by a covered entity (for example, health plans, systems, or clinicians that electronically submit health information for any reason) that is maintained in the same record set as individually identifiable information (for example, patient names, addresses, and phone numbers).

Protected health information includes information that concerns a patient’s health status, the provision of health care, or payment for said health care that is associated with an individual. Whenever any identifying information is associated with a forthcoming appointment or a treatment plan, this also would be considered protected health information under the Health Insurance Portability and Accountability Act (HIPAA). In other words, protected health information tells who is using health care and for what reasons.

Any other non-health information included in the records containing protected health information assumes the same protections as the health information. However, when non-health information is maintained outside the record set, the protections do not apply.

The HIPAA Privacy Rule requires covered entities to take reasonable steps to ensure the confidentiality of communications with patients, to notify patients of their uses of their electronic protected health information, to keep track of such uses, and to provide patients with documentation regarding privacy policies and procedures. Under the Privacy Rule, physicians are allowed to text or email patients provided appropriate safeguards are in place. Such safeguards include the following:

  • Confirming the patient’s phone number has been entered correctly.

  • Sending a text to the patient to confirm the phone number before sending a message with electronic protected health information.

  • Limiting the type or amount of information disclosed through text messages.

  • Using text messaging platforms that allow for end-to-end encryption*.

  • Alerting the patient to the relative risks of using encrypted or unencrypted text messaging to communicate sensitive information.

*Please note: SMS text messages cannot be encrypted. HIPAA allows for patients to text their physicians with unencrypted text messages ONLY IF the patient is warned of the risks of communicating via unencrypted text messaging and if the patient gives their consent to use unencrypted texts to communicate with their physician. Both the warning and consent must be documented.

The HIPAA Security Rule can also apply when texting with patients. While the HIPAA Privacy Rule provides guidance on how electronic protected health information must be stored, maintained, and transmitted, the Security Rule establishes security standards to prevent a breach of patients’ electronic protected health information.

These standards include administrative, physical, and technical components. To learn more about these standards, visit APA’s HIPAA and HIT Primer and the HHS summary of the HIPAA Security Rule.

To determine if they are in compliance with the Security Rule, physicians should ask themselves: What would happen if my work phone or laptop got lost, stolen, or hacked? Would another person be able to access patient information from the device?

To maintain the security of electronic protected health information, HIPAA-compliant messaging platforms include authentication and identify management processes, encryption and decryption, and even the ability to remotely wipe data from a device.

Telephone Consumer Protection Act

The Telephone Consumer Protection Act (TCPA) places restrictions on the use of automatic dialing systems and prerecorded voice messages. The TCPA defines automatic dialing systems, or autodialers, as “equipment which has the capacity (A) to store or produce telephone numbers to be called, using a random or sequential number generator; and (B) to dial such numbers.”

Under the TCPA, all non-emergency calls, including text messages, placed via autodialers require some form of consent if placed to a wireless telephone number. The TCPA is primarily enforced through a private right of action, as any person who has received an autodialed call or text message without the requisite consent can file suit in state or federal court.

In April 2021, the U.S. Supreme Court clarified what counts as an autodialed call in Facebook, Inc. v. Duguid. In short, only systems that randomly or sequentially generate telephone numbers are autodialers. Because almost no modern dialing equipment or text messaging platform currently has this capability, litigation exposure to organizations using texting platforms to communicate with large numbers of customers is minimal. Under the Supreme Court’s interpretation, even text messages sent automatically and in bulk would not be considered autodialed under the TCPA where the texting platform cannot separately generate telephone numbers to be messaged.

What does this all mean for physicians? Under the Supreme Court’s reasoning, sending appointment reminders via text or phone call to patients is not a violation of TCPA, even if the practice or health care system did not have express consent to do so. However, because appointment reminders still constitute health information, there are other regulations and obligations at play. Therefore, it is still best practice for physicians to obtain express written consent from patients before providing such appointment reminders via text message or prerecorded phone calls.

Patient consent can be obtained in the patient registration forms; for example, when patients provide their phone number at intake, intake forms can prompt patients to check a box to consent to receive appointment reminders via text message and/or prerecorded phone call.

Ethical Considerations

Lastly, in addition to complying with the relevant regulations, it is important that physicians are aware of their ethical obligations when texting patients. For more information, please review “Opinions of the Ethics Committee on The Principles of Medical Ethics” Opinion D.18—an opinion recently issued by the Ethics Committee which provides guidance on the ethical considerations of texting patients. ■

Resources

APA’s HIPAA & HIT: A Primer

Summary of the HIPAA Security Rule

"Opinions of the Ethics Committee on The Principles of Medical Ethics With Annotations Especially Applicable to Psychiatry"