Are Appointment Reminders HIPAA Compliant?

Posted by Matt Hodson (Updated: Wednesday, November 20, 2019)

Approximately 4 minutes reading time

Appointment reminders are essential for doctor’s offices. They reduce the odds that patients miss their appointments, something that adversely impacts patient health while hurting the doctor’s income. Appointment reminders also reduce the odds patients are late or appear at the wrong location, mistakes that interfere in the smooth operation of the business. This means your business cannot fail to send appointment reminders. Yet you can easily run afoul of patient privacy laws if you send too much information in your appointment reminders.


Why HIPAA Compliance Is a Necessity in Digital Communications

HIPAA compliance is a necessity for medical practices. Penalties for noncompliance range from one hundred to 50,000 dollars per violation or recorded event. You don’t want to take the risk of thousands of appointment reminders resulting in a hundred dollar penalty apiece until you hit the 1.5 million dollar annual maximum fine.


The Essential Pieces to a Proper Medical Appointment Reminder

Whether your medical appointment reminders are sent via email or SMS, it must contain certain information to be of value to the patient and your office. It must include the date and time of the appointment. It must identify your office in some way so that they don’t confuse the message with a different reminder. The message might reference the doctor by name or the medical facility. If the appointment is for a child, the appointment reminder should be sent to the parent and reference the child by name.


What Information Must Be Left Out of the Appointment Reminder

An SMS or email message isn’t private. A text message could be read by someone snooping on another’s phone, and they remain in the person’s logs until deleted. Phones can be lost or stolen. Emails can be hacked, read by others or accidentally forwarded. Furthermore, all of the digital communications remain on the servers of the services that handle the message as it travels from your system to the end user’s device. This is why a message that does make it to the right recipient cannot be considered secure. Then how do you provide essential information in the appointment reminder without violating HIPAA?

In general, the appointment reminder template should give a date, time and the doctor’s name. Determine whether it is necessary to give the exact address of the facility since that could be used by others to determine where the patient is going or the type of care they are receiving. If the location information is sensitive, you might refer to the office by its location but not give the address while giving them enough information that they can look up the address as required.

You may not want to give the name of the patient in the reminder if the care is considered embarrassing or sensitive. For example, reminding parents to bring in a baby for vaccinations can include the relevant child’s name, but a reminder for a scheduled STD treatment probably shouldn’t. A good compromise is referring to the patient by their initials.

Never include information about the patient’s diagnosis or treatment plan in digital communications with them. You can send a generic notice that their prescription is ready or that they need to see the doctor to get their prescription renewed.

Never send patients test results via emails or texts. Instead, you can inform them that the results are available at the medical firm’s patient portal along with the link. Access to the data is then maintained via the patient portal. If someone gets the message, they can’t access sensitive patient data without the person’s login credentials. Note that this is the best way to handle requests for payment as well. Don’t send them an invoice via a link, since some will be afraid it is a phishing attack. Instead, send them an email or text requesting payment while prompting them to log in to your secure portal. This has the side benefit of maintaining HIPAA compliance since you aren’t sending an insecure email demanding they pay X dollars for their treatment for Y.

The appointment reminder app or service has to be built with information security and patient privacy in mind. It doesn’t matter what format you use if the reminder app doesn’t encrypt data at rest and in transit, though that doesn’t include SMS and email messages that it sends out. SSL should be used for all communications. The system itself should be hardened. For example, it should be locked down and lock accounts after repeated failed login attempts. The system should only be maintained by those who are trained in HIPAA compliance and have undergone appropriate background checks.


How to Maximize the Value of Appointment Reminders

Send appointment reminders 48 to 96 hours in advance. This reminds patients of the appointment far enough in advance that they’ll remember it by the time it rolls around. You can improve engagement with the message and verify the message was received by sending a text or email asking them to confirm the appointment rather than just sending the basic information about the appointment.

Ensure that they receive the appointment reminder with sufficient notice that they can cancel the appointment without penalty. This benefits the medical office in several ways. Patients can reschedule rather than miss an appointment, so they receive better service. Your office is able to fit other, last-minute patients into the cancelled slots. This not only improves cash flow for the practice but the service received by these patients since you aren’t over-booking the practice to try to accommodate them.

You can send follow up messages to patients that cancelled the appointment to re-schedule their appointment. This maintains the level of care for the client and shows that you care about them. General reminders to schedule an annual exam or well-check will generate a steady stream of business for your practice as well.


Respecting Patient Wishes

Remember that healthcare providers must comply with reasonable requests for reminders. If someone wishes to opt-out of text message reminders for appointments, you’re obligated to do so. You should give them another channel such as emails or phone calls. Note that the phone calls are subject to the same restrictions as text messages and emails. Your business may not be required to offer a secondary or tertiary reminder option if someone opts out of text messages and emails. For example, you don’t have to call the patient to remind them if you don’t provide this service to other patients.

You should only send messages to the email or phone number that the patient authorized to receive such. You could violate their privacy rights by sending appointment reminders to work email accounts and an emergency contact’s cell phone number. On the other hand, you’re never violating their privacy to send a minimal appointment reminder, since an appointment reminder is considered an extension to the care they’ve already scheduled.

Matt Hodson

Matt is the founder of Remelo. He loves helping small businesses flourish by making them more productive.

Want to reduce your no show rates?

Our appointment reminders will fix that! And guess what? You can use Remelo - completely free! Send your first appointment reminder with Remelo today and start reducing no-shows.

Get Started