Is your doctor or pharmacist using text messaging to send you appointment reminders, or to tell you your prescription needs to be refilled? If you haven’t seen this yet, chances are you will soon – but you may be wondering, why didn’t this happen even sooner? Doesn’t everyone communicate simple messages by text now? Perhaps you remember the Cingular wireless commercials that brilliantly illustrated how rapidly texts had become popular: the first one had a young girl saying, “IDK, my BFF Jill,” (no relation, BTW), and the second showed cross-generation appeal with a grandmother texting her BFF Rose. That was nearly ten years ago. Why are doctors and pharmacists just now catching this trend?

Health care providers of all types have had an interest in using text for a long time, but to get there they’ve had to deal with a remarkably robust barrier – the HIPAA Security Rule. I’ll say more about that in the body of the post but here’s the main message: Before adopting a text messaging policy, a health care provider must conduct a security risk analysis, and determine and document how to address any security issues identified. This is an unskippable step that I will probably repeat about 12 times. It’s that important.

So what does this mean for the groups I primarily work with – North Carolina’s local public health agencies? They have an interest in using text messaging in a couple of different ways. They share the interests of health care providers in communicating simple messages such as appointment reminders to patients. To do that, they need to contend with HIPAA. But the agencies also recognize that text messaging can be an effective way to communicate public health messages to members of the general public who are not their patients. This raises additional legal issues, primarily related to public records access and retention.

Over the last few months, I’ve been working with the North Carolina Association of Local Health Directors to develop a draft template policy for text messaging for their agencies. The draft template was vetted by an Association committee and presented to the Association at its monthly meeting in December. This post describes the draft template and the legal issues that were taken into account in developing it.

The Draft Template Policy

Before getting into the details, I want to emphasize that the template policy really is a draft. Although the document has been reviewed by three North Carolina attorneys and a risk manager as well as local health directors, I would never assume we’ve thought of everything and fully expect additional thoughtful input as health directors take the document back to their staffs and their local attorneys, so there will likely be revisions (which I’ll note in an update to this post).

The draft is based on a template policy developed by the Northwest Center for Public Health Practice  in Seattle, with modifications to address North Carolina-specific legal issues and practice interests.

Now for the details. I’m not going to follow the order these issues appear in the draft, so I’ll cite to section numbers to help you match the discussion to the draft template policy.

Two Categories of Text Messages

In section 1, the draft template policy identifies two categories of text messages that a North Carolina local public health agency may wish to send:

1. Public health messages sent to members of the public who sign up to receive the messages. A wide range of messages could fall into this category: a reminder that it is flu season and locations of flu shot clinics, information about healthy eating, smoking cessation tips, announcement of a community health fair – you can probably think of others.
2. Appointment reminders sent to local health department clients. This is a very narrow category that is exactly what it sounds like – a message sent to a particular patient to remind the patient that he or she has an appointment or needs to schedule an appointment.

This division is very important because the legal issues are different for the two categories of messages. The two main issues of concern are HIPAA and North Carolina’s public records laws.

HIPAA applies only to messages that contain protected health information (PHI), defined as individually identifiable information that relates to health status or condition, provision of health care, or payment for the provision of health care. An appointment reminder is individually identifiable and relates to the provision of health care, so a text message with that information is PHI and HIPAA applies. However, because it contains PHI, a text with an appointment reminder is not a public record for purposes of G.S. Chapter 132. (See G.S. 130A-12, excepting health department records that contain PHI from public access.)

In contrast, public health messages to the general public should never contain PHI, so HIPAA does not apply. But because they don’t contain PHI, text messages in this category are public records for purposes of G.S. Chapter 132, which means the public’s right of access to the records applies.

A third legal issue that applies to both types of message is records retention. In an attempt to keep this post manageable, I’m going to mostly punt and just say these messages are subject to records retention requirements, including the state’s records retention schedule for local health departments that is available here. (See also Draft Template Section 4.1.4.)

Appointment Reminders – HIPAA Applies (Draft Template Section 4.3)

What does it mean to say HIPAA applies to text messages containing appointment reminders? Often when I discuss HIPAA with health departments or their attorneys, we are focused on the Privacy Rule – the federal regulation that protects patient confidentiality by establishing rules for how PHI may be used or disclosed. However, with text messages, the main HIPAA concern is the Security Rule – the federal regulation that requires HIPAA-covered entities to protect the security and integrity of electronic protected health information (ePHI). Text messages are electronic, so if they contain PHI—as text messages with appointment reminders do—they are ePHI and subject to the Security Rule.

There’s a lot to the HIPAA Security Rule, but for purposes of this post the most important message is, again: Before adopting a text messaging policy, conduct a security risk analysis. (Draft Template Section 4.3.1).

How do you do that? First of all, each HIPAA-covered entity should have conducted an initial security risk assessment before the Security Rule became effective in 2005. Since then, each covered entity has had an obligation to conduct ongoing security risk analyses. Emerging best practice appears to be to conduct a security risk analysis annually, or sooner if a new mode of maintaining or transmitting ePHI (such as text messaging) is undertaken.

In brief, a security risk analysis identifies where and how an entity acquires, creates, or maintains ePHI; assesses the entity’s current security measures; identifies threats to the security of ePHI; and determines the likelihood of threats occurring. The entity must document its findings and use them to develop administrative, technical, and physical safeguards for protecting ePHI. There are a couple of tools to help local public health agencies with this process:

• Federal guidance on conducting a security risk analysis is available at http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalguidance.html.
• A free HHS-developed tool for conducting the analysis is available for download at https://www.healthit.gov/providers-professionals/security-risk-assessment.

Public Health Text Messages – HIPAA Doesn’t Apply, But Public Records Access Does (Draft Template Section 4.2)

The second category of text messages a local public health agency may wish to send are public health messages that members of the general public subscribe to receive. The draft template policy prohibits including PHI in text messages that fall into this category. HIPAA does not apply to these messages so long as the messages do not contain PHI. I emphasize this because crafting a message that completely excludes PHI may be more difficult than initially imagined, but it can and must be done. The Northwest Center for Public Health Practice in Seattle has been a national leader in developing programs for public health text messaging – its on-line toolkit includes a lot of excellent information about how to craft messages that meet public health goals as well as legal requirements.

In North Carolina, messages in this category are public records for purposes of G.S. Chapter 132, which means that access to them must be provided on request.

Applicability of the Policy (Draft Template Section 2)

The draft template policy requires each agency to determine locally which of its divisions or programs will be subject to the policy. There are a number of different types of local public health agencies in North Carolina with a varied mix of programming, which makes this local determination essential. Note that consolidated human services agencies should not extend the policy to non-public health programs without consulting an attorney. The draft template policy does not take into account confidentiality or other laws that may apply to social services or other programs that may be part of a consolidated agency.

Other Issues

The draft template policy also addresses a number of other issues, including:

• Procedures for opting in to receive text messages (Draft Template Policy Sections 4.2.1 and 4.3.2): No client or member of the general public should be added to a text messaging program unless he or she opts in. The opt-in process should advise the person that a cellular service provider may impose charges for text messages, and it should provide information about how to unsubscribe from messages if the person no longer wishes to receive them.
• Policies for responding to text messages received from clients or the public (Draft Template Policy Section 4.4): An agency that creates a text messaging program should anticipate that if the texting technology that is used allows people to send text messages back to the agency, that will happen. There is a risk that such messages may include PHI that the agency didn’t ask for but nevertheless must protect once it is received.
• The template also refers to internal policies for approving text messaging programs, approving devices or technologies to be used, training staff in policies, and other administrative matters (Draft Template Policy Section 4.1).

Conclusion and Request for Comments 

The draft template policy described in this document provides a starting point for local public health agencies in North Carolina who want to use text messaging for appointment reminders, for general public health messages, or for both. The policy does not address other uses of texting by local public health agencies. If an agency wishes to use texting for other purposes, it is very important to determine whether the proposed purpose will involve PHI. If it does, before approving the new texting use, the agency must revisit its security risk analysis and ensure that the ePHI can be protected in accordance with the HIPAA Security Rule requirements. Other uses of texting that do not involve PHI do not implicate HIPAA concerns, but public records law and records retention requirements must be kept in mind.

In addition to the resources linked above, you can find more information about technology and HIPAA on the federal website, healthIT.gov.

I welcome comments on the draft template policy, especially from local public health agencies and the attorneys who represent them. You may provide a comment below or reach me directly by email at moore@sog.unc.edu.