Healthcare Information Security

Mobile News

Healthcare Texting for Patient Appointments Could Pose Risks

Healthcare organizations must be mindful of security when engaging in healthcare texting for patient appointments, advised MGMA Consulting Principal Nick Fabrizio in a recent blog post.

healthcare texting

Source: Thinkstock

By Fred Donovan

- Healthcare organizations must be mindful of security when engaging in healthcare texting for patient appointments, advised MGMA Consulting Principal Nick Fabrizio in a recent blog post.

Fabrizio was commenting on the results of a survey of 1,615 healthcare professionals by MGMA Stat that found more than two-thirds of healthcare organization use text messaging to communicate appointments and reminders to patients.

“An important consideration when text messaging patients is the security behind these communications; SMS messages are not secure messages….As text messaging is not typically a fully secure channel for the communication of PHI, practices must be vigilant when sending information via text messages,” Fabrizio wrote.

The survey found that those who did not use text messages for patient appointments employ an alternative such as email or phone call reminders, because they believe text messaging is too expensive. Additionally, 7 percent of respondents were considering integrating appointment communication via text, while 1 percent were unsure.

Respondents whose organizations use text messaging for patient appointment communication said that they offer patients the option to confirm, cancel, or ask to reschedule via text.

Patients first have to give their permission to use texting as their primary method for appointment reminders. The healthcare organization may use multiple options to remind patients, but texting is usually the patient’s preferred method.

Healthcare organizations have found that text messaging is normally the most effective method of reminding patients about appointments compared to email, phone calls, or snail mail.

The reasons given by organizations that don’t offer text messaging included not having a setup to offer it, using exclusively phone calls or emails for reminders, relying on a hospital’s texting capabilities if part of a larger system, and physician reluctance to move to text messaging.

Fabrizio offered the following tips for using text messaging as appointment reminders:

• Only send necessary information—patient first name and last initial along with the appointment day/time

• Obtain consent from patients for reminders via text, email, or phone (while reminding patients that text messages may not be fully secure)

• Verify patient contact information each visit

• Avoid including any PHI in a text, including the organization’s name

• Consider secure messaging options for communicating PHI internally among staff members

At the end of last year, CMS issued a Survey and Certification in which it said that texting patient information among members of the healthcare staff is only permitted on a secure messaging platform.

CMS said that healthcare organizations must ensure they are using and maintaining secure staff messaging systems or platforms that include encryption.

“All providers must utilize and maintain systems/platforms that are secure, encrypted, and minimize the risks to patient privacy and confidentiality as per HIPAA regulations and Conditions of Participation (CoPs) or Conditions for Coverage (CfCs),” the CMS letter explained.

“It is expected that providers/organizations will implement procedures/processes that routinely assess the security and integrity of the texting systems/platforms that are being utilized, in order to avoid negative outcomes that could compromise the care of patients,” CMS  added.

At the same time, CMS stressed that it does not permit the texting of patients orders by physicians or other healthcare providers regardless of the platform.

“The practice of texting orders from a provider to a member of the care team is not in compliance” with CoPs or CfCs, the letter stressed.

Rather, CMS’s preferred method of patient order entry is Computerized Provider Order Entry (CPOE).

“CMS has held to the long standing practice that a physician or Licensed Independent Practitioner (LIP) should enter orders into the medical record via a hand written order or via CPOE. An order if entered via CPOE, with an immediate download into the provider’s electronic health records (EHR), is permitted as the order would be dated, timed, authenticated, and promptly placed in the medical record,” the letter related.


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks

Continue to site...