Many healthcare providers today use unencrypted text messages to communicate with patients. HIPAA rules apply to those communications and the recent Supreme Court decision about text messages and consumer rights doesn’t change that.
Facebook’s Phone Notification System Does not Violate the Law
Last week the Supreme Court issued a unanimous decision in Facebook v. Duguid concerning the Telephone Consumer Protection Act (TCPA) that affects healthcare providers who use text messaging with patients for informational purposes like appointment reminders. The key issue was deciding what is an Automatic Telephone Dialing System (ATDS) that the TCPA regulates.
The Supreme Court ruled in favor of Facebook, overturning a Ninth Circuit Court of Appeals decision. An individual, Noah Duguid, sued Facebook after he received a number of unwanted text messages from them notifying him that someone was trying to log into his account. Duguid said he had never given Facebook his cell phone number or even had a Facebook account. However, Facebook had his number, apparently by mistake, in a database that it used to send customers “login notification” text messages when an attempt is made to access their account from an unknown device or browser.
Facebook said it is possible Duguid had a recycled cell phone number that previously belonged to a Facebook user. Duguid was so frustrated in his attempts to stop the unwanted texts that he sued under the TCPA. The Ninth Circuit Court held that Facebook’s notification system was an ATDS subject to the TCPA because it automatically dialed stored numbers. The Supreme Court disagreed.
From the Supreme Court opinion:
“To qualify as an “automatic telephone dialing system” under the TCPA, a device must have the capacity either to store a telephone number using a random or sequential number generator, or to produce a telephone number using a random or sequential number generator.”
Provider’s Own Patient Database May be Used under the TCPA
The Supreme Court ruled TCPA only applies to an ATDS that can generate random telephone numbers. Software that sends text messages from a database like a healthcare provider’s list of patient contact information is not an ATDS. Therefore, healthcare informational text messages like appointment reminders sent from patient databases and not to randomly generated cell phone numbers are not subject TCPA. This is significant because the TCPA allows for private lawsuits from individuals, with statutory damages set at $500 minimum per text. At that rate damages can mount astronomically.
HIPAA Still Applies to Text Messaging with Patients
The Supreme Court decision means that healthcare providers who use text messaging will not be sued by unhappy individuals under the TCPA, which provides for hefty penalties.
HIPAA Privacy and Security Rule requirements must still be followed to text patients but HIPAA does not provide patients with a private right to sue. Among HIPAA requirements for transmission security is the “duty to warn” patients of risks involved in communicating by unencrypted text message (and unencrypted email); complying with a patient’s preference after receiving the warning, and documenting the warning and patient’s preference. Follow those three steps and step into the “safe harbor” for HIPAA compliance on patient communication.
Patients have a right to receive unencrypted texts and emails containing protected health information (PHI) if they have been advised of the risks and accept them, as almost all do.
The HIPAA E-Tool® Has What You Need
We provide more than Policies for all the HIPAA Rules, more than a Risk Analysis module, more than legal citations, more than a convenient Search Box to find all things HIPAA. Included are optional forms, like the Duty to Warn requirement for patients’ confidential communications. It’s easy to use and a safe harbor for HIPAA compliance related to patient communication by unencrypted text or email.