Considering Text Messaging for your Medical Practice - What to Know

By: Daryl Smith on March 25th, 2019

Print/Save as PDF

Considering Text Messaging for your Medical Practice - What to Know

Medical  |  Dental

With the ever-increasing popularity of text messaging, it makes sense that healthcare companies are looking into ways to incorporate texting into their practices. It’s fast, easy, and anyone in the office can do it… but should they? If medical practitioners decide to communicate with or about patients via text message,, they need to ensure that it’s done in a safe, secure, and HIPAA-compliant way. Read on to identify what you need to consider regarding text messaging for your medical practice. 

Do you know what to look for in a managed IT service provider?

Download our checklist to learn if you’re making the best choice for your practice.

Download Now

Make Sure You Have Rules In Place

The most important yet basic consideration is to put very clear and easy-to-understand rules into place. Rules will protect your practice and will ensure that your patients’ protected health information (PHI) is secure.

PracticeSuite suggests answering the following questions to begin the conversation about which guidelines make the most sense:

  • Who in the office is allowed to send a text message?

  • What information can be sent through a text message?

  • What information cannot be sent in a text?

  • What is an appropriate time frame in which to respond to a patient’s text?

  • Which topics are not allowed in your texts to patients?

  • What are HIPAA guidelines with regard to texting patients?

Although you have just begun the conversation, there are some other important considerations at this stage. The text messages that relate to patient treatment should always be incorporated into the medical record and then deleted from the mobile device. These text messages, whether retained or deleted, should also follow defined protocols.

It is probably best to use a practice-owned and practice-secured mobile device, rather than personal mobile devices. The devices used by the practice should be “registered” with the practice so that in case the device is lost or stolen, the practice can be immediately notified. When a device will be discarded or replaced, make sure the messages are deleted and the device is disposed of properly.

Always inform your patients that your practice uses text messaging. Obtain their written consent, or where there is lack of consent, document it in the patient’s medical record. The consent may include a description of the kinds of information the text messages will include, who will have access to the mobile device in the practice, and that once patient texts are read by the practice they will be deleted. Also include that when a patient changes their mobile number, they should notify the practice in writing.

Once you’ve begun having this conversation with the stakeholders involved in the practice (if there are any other than yourself), it’s important to discuss the guidelines with a lawyer to make sure your approach is legal.

If you’ve been texting your patients without the proper guidelines in place,  ask everyone in your office to stop texting patients until you put some risk reduction policies in place and confer with an attorney. Politely inform your text-using patients that the hiatus is for their protection and privacy.Important to ensure you’re covered and your patients are covered from all angles - it’s your responsibility to protect their information.

Encrypt All Mobile Devices

"Encrypting all mobile devices is good practice, whether you are texting with patients or not," according to healthcare attorney Michael Sacopulos, president of the Medical Risk Institute in Terre Haute, Ind. "But encryption software is especially important if you are texting patients because it reduces the risk of unauthorized parties accessing text and other data on a physician's or staff's mobile device."

How do you encrypt your mobile device? With an app, of course. The price is worth it. The application you choose should definitely be HIPAA compliant. You may want to look at products that allow you to store messages on your server. Consider public/private key encryption where only the intended recipient can decrypt their messages. Consult your IT partner for guidance.

Include Texts In the Record

Any text message that involves the transmission of information that would be considered protected health information (PHI), including information relating to the treatment of your patients, should be considered part of, and therefore incorporated into, your medical record.

If the text message contains PHI, make sure it is not in violation of laws governing PHI. You should carefully review the Health Insurance Portability and Accountability Act (HIPAA) guidelines. Be aware of the rules about how long a text message can and should be retianed, and what kind of access patients are allowed in order to see and to amend. Failure to follow message retention guidelines could hurt you if you ever find yourself in a lawsuit for malpractice without copies of crucial messages.

Be Aware of Security Risks

Data security is extremely important to take into account when it comes to text messaging for your medical practice. If there were an information breach resulting results in misuse of your patients’ information it could be devastating. For example, if your device is stolen or lost, unencrypted messages could be easily accessed by a malicious user. For this reason, the Joint Commission which accredits hospitals has expressed that texting a patient’s hospital orders is not acceptable because those orders cannot be validated. In addition, it can be difficult for someone to validate who sent the text message if the phone/information has been lost.

HIPAA Compliance

HIPAA introduced a number of important benefits for the healthcare industry to help with the transition from paper records to electronic copies of health information. HIPAA has helped to streamline administrative healthcare functions, improve efficiency in the healthcare industry, and ensure protected health information is shared securely. This can certainly apply to text messages. HIPAA is important because it ensures healthcare providers, health plans, healthcare clearinghouses, and business associates of HIPAA-covered entities must implement multiple safeguards to protect sensitive personal and health information.

While no healthcare organization wants to expose sensitive data or have health information stolen, without HIPAA there would be no requirement for healthcare organizations to safeguard data – and no repercussions if they failed to do so.


Text messaging may seem like a great practice solution for connecting with your patients. Perhaps it is, but it’s essential to take everything into account before deciding to incorporate texting into your practice. As a healthcare provider, you are responsible for protecting your patients’ sensitive health information.


Download our checklist now