Two recent rulings underscore the need for covered entities to obtain prior express consent in order to send unencrypted text messages to patients. They confirm the HIPAA information we have provided for a long time – the law has not changed, but after being challenged, is now affirmed.

One of the common myths of HIPAA compliance is that HIPAA does not apply to text messaging sent by automatic systems that are also covered by the Telephone Consumer Protection Act (TCPA). Another one is that if a patient emails or texts a provider then they have consented to unencrypted communications. Neither is true.

The HIPAA E-Tool® contains guidance about the three-step “safe harbor” process on how to stay compliant with HIPAA when communicating by text.

Two Decisions Affirm HIPAA Privacy

The Supreme Court Upholds the TCPA

On July 6, 2020 the Supreme Court in Barr v. American Association of Political Consultants, Inc. affirmed the constitutionality of the Telephone Consumer Protection Act (TCPA) in a much anticipated decision. The TCPA was enacted in 1991 to protect consumers from robocalls (mainly to landlines) and since 2003, the law has also applied to cellphone calls and text messaging.

The American Association of Political Consultants argued that the TCPA violated the First Amendment right of free speech, and should be invalidated. The Court agreed that one exemption in the TCPA violated the First Amendment, but said that exemption could be severed from from the rest, and affirmed that the TCPA is otherwise constitutional.

The TCPA says that text messages are considered the same as telephone calls, and privacy protections apply to both.

The Federal Communications Commission Affirms Prior Express Consent

In addition, on June 25, 2020 the Federal Communications Commission (FCC) issued a declaratory ruling confirming that healthcare informational text messages require the prior express consent of the receiving party. This confirms a 2015 FCC ruling that all healthcare informational text messages must “comply with the HIPAA Privacy Rule”.

HIPAA requires a three-step process to obtain and document a patient’s prior consent to receive unencrypted text messages. The three-step process is a “safe harbor” for covered entities who wish to communicate with patients by unencrypted text or email. If the steps are followed, you are complying with HIPAA.

The HIPAA E-Tool® Has the Safe Harbor Three Step Guideline

Most patients prefer the convenience of unencrypted texts over encryption. But their preferences need to be documented in advance.

A covered entity must obtain an individual’s consent to use unencrypted texts or email. If someone texts or emails before they become a patient or client, you must obtain their consent to use unencrypted communication before continuing.

There is a simple “safe harbor” guideline that protects health care providers who want to communicate via email and text, but you must follow the steps.

The three steps for obtaining consent:

  1. first, a “light warning” is required – inform the patient there is some level of risk that an unencrypted text or email can be read by someone else;
  2. if, after the light warning, the patient still wants standard email and text messages (as almost all do) you must follow their direction;
  3. document the light warning and the patient’s preference in writing.

Note, if the patient prefers encrypted email or text they have the absolute right to receive it.

We are staying up to date on HIPAA so you don’t have to – what questions do you have?

Free HIPAA Checklist
What best describes you?