Bloomberg Law
Free Newsletter Sign Up
Bloomberg Law
Advanced Search Go
Free Newsletter Sign Up

Can’t Text Your Doctor? Blame the Health Privacy Law

Feb. 4, 2020, 10:45 AM

Virtual check-ins between doctors and sick patients would save time and money, but slashing the regulatory red tape has been no small order in health care.

The health technology industry wants to make it easier for patients to text with their providers for routine services. However, there’s one federal hurdle in the way: the Health Insurance Portability and Accountability Act (HIPAA).

The medical world pitches texting as convenient for patients and doctors and a way to boost the quality of care provided at little cost. But making that happen is a little harder than hitting send. The health privacy law means telephone providers would be roped in, requiring them to take steps to ensure that any patient data sent via text message is protected.

“Patients can’t always text physicians because AT&T and other phone companies don’t have HIPAA in place, so our model brings you into this secure chat room,” said Bryan Fine, CEO of Norfolk, Va.-based Percentric, which offers HIPAA-compliant communications outside of the doctor’s office.

“Just a tincture of common sense on this HIPAA conversation, to me, is reasonable, and I think it’s going to need to be a part of the solution going forward,” he said.

Telemedicine companies and physician groups have urged the Department of Health and Human Services to weigh in on how doctors and patients could legally text one another under HIPAA.

An HHS spokeswoman said the agency plans to offer guidance on text messaging and HIPAA, but didn’t provide further details.

Protecting Patient Data

Texting in health care requires a balancing act between federal regulators who need to protect patient data and those same patients demanding that access to their doctors evolve with technology.

More than 41 million people were impacted by health records breaches in 2019, the highest number in the last four years, according to the HHS’ Office for Civil Rights.

Texting patient information among members of the health-care team is allowed if it is sent through a secure platform, according to the Centers for Medicare & Medicaid Services. Sending information electronically through a computer is the preferred method for now.

HIPAA only covers data collected by health-care providers, health plans, and clearinghouse billing systems in the industry. But those requirements extend to business associates, which could include phone companies if they handle sensitive information.

The HHS issued a request for information in 2018 for the health-care industry to share how HIPAA slows progress to value-based health care. It received nearly 1,500 comments.

The American Medical Association believes creating guidance around texting would ease nerves in the medical industry.

Keeping Up With Technology

Patients demand doctors keep up with 21st Century technology, but health-care companies are hesitant because HIPAA violations can be severe.

“If I make any mistakes at all, my whole life is going to get ruined and my business is going to get destroyed,” Fine said.

Text messages aren’t encrypted or protected, so using them to send sensitive patient data violates HIPAA. Another risk is that patients may change their phone numbers without updating their physicians. That incurs the risk of sending personal information to the wrong recipient.

“Telephone numbers can be reassigned in ways that e-mail addresses typically are not,” Kevin Coy, a partner and co-chair of the privacy and consumer regulatory practice at Arnall Golden Gregory LLP, said.

Another hurdle would be getting phone carriers on board with business associate agreements under HIPAA.

“Access controls are very important as well because you never know who is looking at the phones, so providers would need a protocol to ensure they are texting the right person and complying with rules regarding the ‘minimum necessary,’ which means that only the bare minimum amount of protected health information should be included in texts,” said Sarah Weatherhead, general counsel of Maven Clinic, a New York-based telehealth startup that provides health-care services to parents and families.

Despite the risks, medicine is still moving in a direction where text communication will be necessary, according to Fine.

“There needs to be a way to allow patients and doctors to innovate and make some choices together so that the common themes and threads around HIPAA aren’t so frightening,” Fine said.

“HIPAA as it stands now, is something that is stifling. There’s always going to be a crack that someone will fall through,” he said. “How can telehealth companies help the most people without being so frightened of being an outlier or crack faller?”

To contact the reporter on this story: Ayanna Alexander in Washington at

To contact the editors responsible for this story: Fawn Johnson at; Andrew Childers at