From intake to billing: 5 tips for safe, successful digital communications with patients

Patients know what service excellence is. In their daily interactions with companies, they’ve come to expect it. It’s reasonable for patients to want and expect their healthcare providers to offer the same level of service by meeting them on their preferred digital communication channels.

Fortunately, there are no rules against communicating with patients digitally. Doing so can greatly improve the patient experience, from appointment scheduling to bill payment. Despite the clear advantages of using text and email, plenty of providers are hesitant to move forward because they’re uncertain about what is or isn’t an acceptable practice.

Compliance is top of mind but entirely manageable

Digital communications between providers and patients are governed by a variety of standards and laws pertaining to data security, patient privacy and debt collection practices. Even if some practices are technically not out of bounds, healthcare providers and their RCM outsourcers should always observe the most stringent rules and requirements to best serve their patients’ interests as well as their own.

American Medical Association (AMA) guidelines

According to the AMA’s Code of Medical Ethics Opinion 2.3.1, text and email can be valuable tools but must be used with great care. The AMA guidelines for electronic communications include but aren’t limited to the following directives:

• Obtain patient consent to both receive digital communications that contain privileged information, and to continue communicating digitally after the patient initiates communication
• Include disclaimers about the limitations of electronic communications (e.g., the privacy and security risks inherent in text and email exchanges)
• Uphold professional standards of confidentiality and protection of patient information as well as clinical standards related to how medical information is presented in these communications

HIPAA requirements

HIPAA allows electronic transmission of protected health information (PHI) — i.e., data related to the patient’s health status, treatment and payment for services — as long as providers apply “reasonable safeguards … to ensure the confidentiality and integrity of data.” For example, providers must avoid using PHI in email subject lines. HIPAA considers any and all combinations of personally identifying data (e.g., last name + city), even if each data point seems harmless on its own, as PHI.

Telephone Consumer Protection Act (TCPA)

The TCPA is a federal law enacted by Congress in an effort to reduce the number of unwanted calls and texts placed to consumers’ and patients’ mobile phones. The law applies to all calling or texting parties, including but not limited to healthcare providers when using an automatic telephone dialing system (ATDS) to place calls, send text messages or leave artificial voice or prerecorded messages on a mobile phone.

The law requires all who call, text or leave artificial voice or prerecorded messages using a subscriber’s mobile phone number to:

• Honor call time restrictions (8 a.m. to 9 p.m. local time or as otherwise provided by state law)
• Regardless of the system used to leave messages, obtain the mobile phone subscriber’s prior express consent to receive artificial voice or recorded messages on the subscriber’s mobile phone  
• Obtain the mobile phone subscriber’s prior express consent if using an ATDS to place calls or texts
• Inform patients that texts and emails they send to the provider may not be secure and to avoid sending confidential or personal information via text
• Avoid making autodialed and other types of calls that would result in a charge to the patient

There are exceptions to TCPA for healthcare providers, but only if the messages are not related in any way to the patient’s financial obligations.

Mastering email and text: 5 keys to happy patients and a healthy revenue cycle

The benefits of communicating with patients over their preferred channels far outweigh the compliance risks — assuming you understand both the potential and limitations of these channels and have the proper safeguards in place. From the start of the patient’s journey, you can lay a foundation for compliant, helpful communications that serve the needs of both parties.

1. Set clear expectations on your intake form

Security begins with your patient intake form. It’s a tool you can use to document all sorts of information about how you manage patient data as well as to obtain express consent to leave artificial voice or prerecorded messages. This consent is a requirement of the TCPA and your failsafe under HIPAA, even for emails.

In keeping with the letter and spirit of HIPAA and the TCPA, you should include as much detail as is reasonable on your intake form to set clear expectations in writing so you can stay compliant and honor your patients’ wishes. You should make clear you will never share treatment information, but that you do have the right under HIPAA to use debt collectors and to share the patient’s contact information and other information minimally necessary to recover medical debt.

2. Understand the limits of texting

Texting is great for appointment reminders, payment reminders and a text-to-pay option. But under no circumstances should sensitive health or financial information be exchanged via text message. The HIPAA Security Rule requires that patient data in transit or at rest must be encrypted via end-to-end (E2E) encryption, but neither Android phone SMS nor Apple iMessage meet HIPAA’s security standards.

Texting is best used to direct patients to your portal, which is the most secure channel for your patients to interact with you and manage their account. On your intake form, explain to patients you’ll use texting “for the following limited purposes” and ask them to avoid sending you sensitive health-related texts. If patients text you PHI, it’s your legal obligation to encrypt and protect it.

3. Consider the patient experience carefully

To drive patient loyalty, encourage timely bill payment, and ensure you’re adhering to industry guidelines and regulations, be sure to observe the following practices.

• Stay on top of patient preferences — Always have an opt-out option, and make sure your system is set up to manage consent and revocation of consent. Only use contact information patients have provided to you (and avoid using work mobile numbers or work email addresses that could endanger patient privacy).
• Get the content and cadence right — Identify yourself clearly, use as few characters as possible, let patients know whether/how they can reply and don’t bombard them with frequent or mass text messages.
• Ensure proper delivery — Your communications platform should inform you when an email or text bounces back, since you’ll need to be sure appointment and payment reminders, for example, are delivered in time. If your debt collection agency wants to substitute digital delivery of required documents to patients, as opposed to uploading them to the portal, E-Sign requirements will apply.

4. Where TCPA gives leeway, err on the side of HIPAA

With the recent U.S. Supreme Court decision in Facebook, Inc. v. Duguid, express consent to text is no longer required under the TCPA if you use a communications platform that lacks the capacity to generate a random or sequential number. You could survive a class-action lawsuit against the hospital if you or your outsourcer takes advantage of this loophole, but it’s never a good idea to ignore HIPAA requirements against transmitting patient data without express consent.

5. Align with your outsourcers to ensure compliant, patient-friendly practices

To the patient, your outsourcer is an extension of your organization. How your outsourcer engages with patients digitally should be a top concern, as it directly affects patient satisfaction, the health of your revenue cycle and your litigation risk.

There should be no daylight between you and your outsourcer, and no room for assumptions or subjective interpretations. Make sure there is absolute clarity and agreement on your standards and expectations as well as the outsourcer’s procedures. Given what’s at stake, you need to be confident your RCM partner is communicating properly and delivering a convenient, hassle-free billing experience.

Hospitals, health systems and RCM outsourcers across the U.S. are improving revenue cycle efficiency, productivity and performance with ease — without disrupting their EHR setup or workflows. Click here to learn more.