Practice Management Tip

6 Tips for Reducing the Risk of Patient Texting

By Cheryl Toth, MBA

In a recent client meeting, a surgeon casually mentioned that his patients regularly texted him photos of post-op incision sites. The surgeon’s partners had no idea. Neither did the administrator, who had not addressed text messaging in the practice’s risk management policies.

Text messaging is fast, easy, and efficient. People of all ages and generations have embraced it. 
But if you’re using SMS (Short Message Service) text messaging with patients, your practice is at risk.  SMS is not encrypted or secure. It’s fairly easy to send a text to the wrong person. There is no central, auditable log of messages transmitted or received or ability to escalate a high priority message. And there is no easy way to print or move an SMS text into the EHR/chart.

Here are six tips for reducing these risks:

1. Cease and desist with SMS texting until policies are in place.  Hold a meeting and ask everyone to stop texting until you put some risk reduction policies in place, and confer with an attorney who understands healthcare regulations and HIPAA.

2. Encrypt all mobile devices. This is good practice in general. But it’s especially important if you are texting patients because it reduces the risk of unauthorized parties accessing text and other data. Implementation is straightforward and inexpensive. One option is Kaspersky, which costs $75- $100 per year, per device. 

3. Develop a usage policy. The policy should set rules and expectations for staff, physicians, and patients. It should answer questions such as: Who is authorized to send/receive text messages from patients? What are the expected response times? Which topics are appropriate/inappropriate for text? How do critical messages get escalated? How will the data be printed and placed in the patient’s chart or ported to the EHR? 

4. Develop a Statement of Understanding. Such a Statement clarifies that patients have a choice about how they want to communicate with you, and that text messaging is only one option. Further, if you use SMS and not a secure text messaging system, the Statement informs patients about the risks inherent in using unsecured messaging. Ask patients to review and re-sign the policy every 12 months.

5. Purchase a cyber insurance policy. Cyber insurance provides you (and your attorney) peace of mind, and is a cost effective way to protect yourself against expenses related to data and privacy breaches and crisis management. Typically, it covers costs such as remediation, patient notification and credit check protection, legal costs, and fines. Contact a local insurance broker for details.

6. Move toward secure messaging. Secure messaging is encrypted, and messages are sent across a secure network. Data is stored in the cloud, not on a physician or staff member’s individual mobile devices. That means messages can be logged, archived, printed, and ported to the EHR. These features also enable security audits required by HIPAA. In fact, most secure messaging solutions are HIPAA compliant, and the company will sign a Business Associate Agreement with your practice. 

If your EHR vendor offers a patient portal, it typically includes secure messaging. You might also evaluate cost-effective options such as: Patient Reach Mobile, HealthLoop, and PingMD. 


Cheryl Toth, MBA is a content developer with KarenZupko & Associates. She brings 20 years of consulting, training, technology product and executive management to her projects.