4 Rules For Sending HIPAA-compliant Text Message Appointment Reminders

by John Deutsch - Bridge Patient Portal

SMS text messages can be one of the best ways to remind patients of an upcoming appointment. Proven benefits include a reduction in missed appointments[¹], convenience, and the potential to improve patient satisfaction. But you must comply with HIPAA laws to avoid fines and potential damage to your reputation. 

When automating HIPAA-compliant appointment reminders, there are several methods to protect patient data security. In this article we outline the four rules recommended to ensure HIPAA compliance for both the patient and provider:

Ask For Permission  

Express written consent is required to prove the patient has agreed to receive texts, which is commonly requested through online form submissions and text message replies. Ensure that your Notice of Privacy Practices (NPP) is easy to understand and updated with information about how a patient can opt in and out of receiving appointment reminders via SMS. Because many people do not read the NPP, it is recommended to show an additional opt-out elsewhere online, to safeguard the patient’s privacy and your legal compliance. Even after consent, patients should be regularly prompted to verify their contact information in the patient portal.

Control Access

HIPAA requires that patients must be warned in writing about the risk of authorized access to their Protected Health Information (PHI) when sending text messages. Healthcare organizations should avoid sending PHI in text message appointment reminders, and provide any PHI through a patient portal. The following steps should be taken to control access to PHI:

  • Unique user ID. When accessing a system that contains PHI and lets users send and receive messages, all authorized users should have a unique identification.

  • Multi-factor authentication. Aside from a username and password, another layer of security to verify authorized users should be used like a one-time password (sent via email, SMS, or mobile app) or a biometric verification such as fingerprint or facial recognition.

  • Emergency access protocol. Define in what types of emergency situations immediate access to PHI is required and who should have access.

  • Automatic logoff. Users must be logged out of any platform containing PHI after a specified period of inactivity.

  • Secure messages. To curb unauthorized access to PHI, HIPAA-compliant text messages must be encrypted.

Limit Content

Exclude any information in the message that could give away specific health information like conditions, treatments, or results. Any information that the patient has not specifically authorized for inclusion via text message will be considered a violation of HIPAA[²].

Generic reminders should include only relevant information, such as:

  • Date and time of the appointment

  • First and last name of the provider

  • Appointment location 

When patients need access to PHI they should be provided a link to log into a patient portal.

Use a HIPAA-Compliant Appointment Reminder Software

Leveraging a platform that automates sending HIPAA-compliant appointment reminders can provide a great deal of efficiency. Here are the key features to look for when evaluating software:

  • HIPAA-Compliance. All PHI is secured in a HIPAA-compliant patient portal.

  • Message Customization. Providers can send mass communications as well as customized messages.

  • Response Options. Patients should be given the option to confirm, cancel or reschedule an appointment by replying to the received message. 

  • Multilingual. All messages are available in English and other languages based on your patient population.

  • Push Notifications. Alerts and reminders can be sent to patients on their mobile devices.

  • Integration with EHR and PM Systems. Through API integrations, appointment data can be directly pulled from accredited EHR and PM systems, such as Greenway Health™, Centricity™, and NextGen®.

  • Triggered Notifications. Specific custom notifications can be triggered for different types of appointments.

Following these guidelines will help minimize the risk of data breaches or inadvertently violating a patient’s right to privacy.  


About the Author

John Deutsch

John is CEO of Bridge Patient Portal with 20 years of healthcare IT business ownership experience specializing in patient engagement, marketing, and software development.

Connect with John on LinkedIn

Check out Bridge's recent webinar with FQHC Connect where they talked about Taking Patient Engagement to the Next Level with Telehealth, Mobile, & Other Patient Engagement Initiatives.


About Bridge Patient Portal

Bridge is an enterprise patient portal and patient engagement solution for healthcare organizations. The platform is ideal for health centers seeking to replace their existing EHR’s patient portal, connect disparate EHR environments, consolidate costly patient engagement tools, offer telemedicine services, and/or publish a mobile app.

Bridge is a community sponsor of FQHC Connect and has a number of FQHCs using their platform. They are constantly seeking to improve their technology and collaborate with FQHCs to find new and creative ways to advance patient engagement in FQHCs.

Learn more at www.bridgepatientportal.com.


Article Sources:

Glauser, W. (2020). How can doctors reduce no-shows?. [online] Canadian Medical Association Journal. Available at: https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7012625/

  1. Maheu. (2020). Appointment Reminder: HIPAA Rule Ads Additional Requirements For Patient Privacy. [online] Telehealth.org | Professional Training & Consultation. Available at: https://telehealth.org/patient-appointment-reminders/