If you work in a healthcare office, you may be wondering if text messages, emails, automated voice calls and other forms of communication are acceptable for medical appointment reminders under the Portability and Accountability Act (HIPAA). The answer is yes.
The Health and Human Services (HHS) department has stated that automated doctor appointment reminders are allowed under the HIPAA Privacy Rule (see here). While we are excited to share this exciting news, we do want to remind our current and future clients that we are not legal professionals, and therefore we cannot provide any legal advice or instruction.
Why HIPAA Matters to Your Modern Practice
One of the primary reasons the United States government passed HIPAA was to encourage the use of new technology in the healthcare field by establishing rules to protect the privacy of patients in regard to patient appointment reminders. A key aspect of HIPAA relates to the security of data regarding patient records and other vital information that should remain private under federal law. This pertains to HIPAA appointment reminders, HIPAA rules regarding text messaging, and doctor appointment email messages and calls.
About HIPAA-Compliant Appointment Reminders
The Department of Health and Human Services has officially stated that phone calls, text messages and emails are all effective and legal ways to communicate with patients regarding their upcoming appointments under HIPAA requirements. Reminding patients about appointments that they made days, weeks, or months before is critical to providing patients with timely care and to the efficient operation of the medical office. When sending text, voice, and email appointment reminders, it is important to remember that someone other than the intended party may see or hear the message. Because of this, you should take care not to include detailed notes about the appointment, diagnosis, or treatment plans.
Apptoto’s default message templates include info regarding the company name, the provider name, and the date and time of appointment, but to comply with HIPAA regulations, we strongly recommend modifying your message contents to only include the date and time of the event.
Apptoto message templates are easily customized, so you can tailor your messages as needed to comply to HIPAA standards. An example of this is for providers who do not include the full name of their practice, opting instead for initials only, as a way to further protect their patients’ privacy. Including information such as provider name, appointment type, or office name/location may be considered a breach of PHI. If you have questions or concerns about this, consult your HIPAA Compliance Officer/Department.
Complying With Patients’ Wishes
Here are some important things to keep in mind regarding calling, emailing, and text messaging and HIPAA compliance. With HIPAA appointment reminders, healthcare providers are required to comply with reasonable requests regarding the format of the reminders. For example, if a patient wishes to opt out of receiving text-message appointment reminders, the patient can request another type of reminder, such as appointment-reminder calls. The healthcare office is not required to make a phone call or send a medical-appointment-reminder text message if this is not a service provided by the office to other patients. However, the healthcare office will need to cease sending reminders if a patient makes the request to do so.
Choosing a Doctor-Appointment Reminder App
HIPAA-compliant, medical-appointment apps are a great help for both the healthcare office and the patient. Apptoto is a convenient, cost-effective option for any healthcare provider, including therapists, counselors, and more. Medical offices may also ask patients to state their prefered method of reminders, such as HIPAA text message appointment reminders, calls, or emails. They may choose to opt in to appointment reminders, and the appointment-reminder service provider can work with the medical office to set this up effectively.
Apptoto’s HIPAA compliance program
In order for a service provider to be fully HIPAA compliant, they must adhere to HIPAA’s Privacy Rule, HIPAA’s Security Rule, and be willing to sign a Business Associates Agreement (BAA). Our HIPAA-compliance program does all three by providing:
- Account stored and run on HITRUST Certified servers for HIPAA Compliance (provided by AWS)
- All sensitive “at rest” data encrypted
- All sensitive “in transit” data encrypted (this does not include SMS and Email messages sent)
- Logging disabled on server
- SSL used for all communication
- Account disabled after 6 failed attempts
- Courtesy compliance review of message content
- Only Apptoto personnel trained in HIPAA compliance (via Accountable) and having undergone background checks will have access to your account
- Signed Business Associates Agreement (Group plan and higher)
In order to use our HIPAA-compliance program, including HIPAA text-message appointment reminders, you must sign up for a free account and subscribe to one of our HIPAA-compliant plans. If you are on a Group Plan or higher, you can request a signed BAA by sending your company’s official name, HIPAA compliance officer, and address to firstname.lastname@example.org.