Photo by Miguel Á. Padriñán
Texting is gaining popularity among businesses, but what pitfalls do you need to avoid when utilizing this great tool to connect with your clients? You might have heard of 10DLC, perhaps PCI-DSS, TCPA or HIPAA compliance is also a concern.
Thankfully, with a little bit of knowledge you can communicate better with clients in a legal and safe manner!
The HIPAA Privacy Rule and Texting
Under certain conditions Texting is HIPAA compliant. Compliance isn't about your texting platform, but rather how you use texting.
Do you need to send or receive protected health information via text?
Often the answer is no, meaning with a client's TCPA consent you can send useful texts like:
- Appointment confirmations, reminders, and schedule appointments
- Care Instructions (Pre/Post-discharge)
- Lab Results
- Updated business hours
- Ask for feedback
- Request a review (on Google or Yelp for example)
An individual has the right under the Privacy Rule to request and have a covered health care provider communicate with him or her by alternative means or at alternative locations (per US Department of Health and Human Services).
Healthcare providers should accomodate patient requests to communicate over unencrypted means like telephone, fax, e-mail and texting. If the provider feels the patient may not be aware of the possible risks of using unencrypted communication, or has concerns about potential liability, the provider can alert the patient of those risks, and let the patient decide whether to continue.
Texting clients from a personal device or personal phone number should always be avoided to ensure data security and that staff can reliably reply to clients even when a particular team member is out of office.
How do I ask for Express Consent?
Express Consent is the gold standard under the TCPA for a business to contact a consumer. Simply asking a client via text or email “Mind if we text, email or call you about upcoming offers and appointments?” informs the client of your intent and solicits their express consent.
Retain this date of consent as it forms the legal basis of your TCPA compliance.
What is Person to Person Texting?
This is chatting over SMS or MMS, generally sending a fairly equal number of messages back and forth, below 1 message per second, under 1000 messages per day, contacting under 100 distinct recipents per day, and typically not sending repetitive (or substantially repetitive) messages.
Should I register for Application to Person Texting?
For marketing or bulk messaging purposes registering for Application to Person texting, or using a different class of messaging like Toll Free Texting or Shortcode Texting is neccesary. Obtaining Double Opt-in consent or Express Consent via text is also required for these types of texting.
What if sensitive information is texted to me?
Examples include credit or debit card numbers (a PCI-DSS compliance concern), medical records and similar. Advise the person you are communicating with that the information they sent is sensitive and state you will delete the prior text and they should do the same.
By deleting the text that contains sensitive information, you ensure data security as the sensitive data no longer exists.
What if a client revokes consent?
Clients can respond with the word STOP to a text message, or expresses over email, phone call, text or letter that they are not consenting to further communication. The revocation of consent request needs to be honored within 24 hours of reciept, and you should only send a single confirmation message of the opt-out to the recipient (do not include any promotional material in this message).
Terminology
Telephone Consumer Protection Act (TCPA) – Requires express written consent from the contacted party. Often implemented as a double opt-in, with the second opt-in occuring via text.
Payment Card Industry Data Security Standard (PCI-DSS) – A standard for Payment Card Industry Data Security, guiding those who use credit and debit cards on how to securely handle payment information.
10 Digit Longcode (10DLC) – A registration program run by The Campaign Registry Inc for local phone numbers used by businesses to permit non-conversational (A2P) messaging.
Peer to Peer Messaging (P2P) – Messaging between two people, with nearly the same number of messages going out and coming in.
Application to Person – One way alert messages (Welcome texts, reciepts), Promotional messages (Use x coupon code for 10% off, Happy Hour is extended this Thursday, etc)