Informationmanagers.ca Logo
Texting with Patients: How to Do It Safely and Effectively

Texting with Patients: How to Do It Safely and Effectively

​Texting with Patients: How to Do It Safely and Effectively

Have you ever said…
“If only I had someone to ask!”

Each month, we tackle real questions from clinic managers, healthcare providers, and privacy officers inside Practice Management Success.

This month’s question:

Can you text your patients?

The short answer is:
Yes.

The better answer is:
Yes—but only if you do it thoughtfully, with the right safeguards in place.

Why This Matters

Texting is no longer “new.”

Patients expect it.
Staff rely on it.
And many EMRs now offer built-in messaging tools.

But here’s the problem:

👉 Texting is not always a secure communication method.

It’s difficult to:

  • Confirm who is sending or receiving the message
  • Control where the message is stored
  • Prevent miscommunication or disclosure

That means one quick message can turn into a privacy breach or medical error.

Start With Purpose (Not Technology)

Before you implement texting, ask:

Why do we want to use it?

Common reasons include:

  • Appointment reminders
  • Scheduling changes
  • Improving patient access
  • Reducing phone volume

These are all valid—but they are not all equal in risk.

From the Patient to the Clinic

Some clinics allow patients to text:

  • Appointment requests
  • Questions about care
  • Follow-ups

In some cases—especially remote or higher-risk populations—this may improve access to care.

But you must weigh this carefully.

👉 Sometimes the risk of not communicating is greater than the risk of using an unsecured method.

This is where your professional judgment—and policies—matter most.

What Are the Risks?

As the custodian, you assume the risk of using unsecured communication.

So your job is to:

  • Define acceptable use
  • Set clear boundaries
  • Train your team
  • Communicate expectations to patients

One of the most practical ways to do this?

👉 Create scenarios

  • When is texting appropriate?
  • When is it not?
  • What should staff do instead?

Document these decisions as part of your implementation plan.

Workflow Matters More Than You Think

If a patient texts your clinic—what happens next?

You need clear answers to:

  • Who receives the message?
  • On what device?
  • How is it verified?
  • How is it documented in the patient record?

If it’s not documented, it didn’t happen.

From the Clinic to the Patient

This is where most clinics start—and where risk is easier to manage.

Best use cases:

  • Appointment reminders
  • Basic instructions
  • Non-sensitive communication

Higher-risk uses:

  • Test results
  • Clinical advice
  • Sensitive health information

👉 Keep texting administrative, not clinical, unless you have a secure solution.

Consent and Patient Understanding

Patients must understand:

  • How texting works in your clinic
  • The risks to their privacy
  • Their role in protecting their information

This includes:

  • Using a personal phone (not shared or work devices)
  • Keeping their phone secure
  • Updating their contact information

Consent is not just a form—it’s a conversation and an agreement.

Use the Right Technology

Whenever possible:

  • Use EMR-integrated messaging
  • Avoid personal devices
  • Implement role-based access
  • Enable audit logs
  • Use multi-factor authentication (MFA)

These tools help you:

  • Maintain control of patient information
  • Improve workflow
  • Reduce manual documentation

Don’t Skip the PIA

Before you implement texting or email communication:

👉 Complete or update your Privacy Impact Assessment (PIA)

This doesn’t have to be overwhelming—but it is essential.

Your PIA should describe:

  • What you are implementing
  • How information flows
  • Risks and mitigation strategies
  • Policies and procedures

Practical Take-Aways

If you’re thinking about texting patients:

  • Start with low-risk uses (appointment reminders)
  • Use approved systems—not personal phones
  • Define clear rules and workflows
  • Train your team using real scenarios
  • Document everything
  • Review and adjust regularly

Want Help Getting Started?

If you want to go deeper, I’ve created tools to help you implement this safely:

✔ Sample texting authorization forms
✔ Step-by-step procedures
✔ Training resources for your team
✔ PIA guidance and templates

👉 Download the FREE report:
Can You Use Text Messaging with Patients?

👉 Get ongoing support:
Practice Management Success Membership

👉 Join me live:
Q&A with Jean –  2nd Tuesday of each month at 12 noon MT

Don’t Miss the Next Q&A!

Final Thought

Texting can absolutely improve access, efficiency, and patient satisfaction.

But it must be done with intention.

Because when it comes to privacy:

When we know better—we can do better.

Jean L. Eaton is constructively obsessive about privacy, confidentiality, and security especially when it comes to the handling of personal health information. If you would like to discuss how I can help your practice, just send me an email. I am here to help you.

Jean L. Eaton
Your Practical Privacy Coach
INFORMATION MANAGERS

Privacy Breach Nugget: Why Documentation Matters in Privacy Breach Investigations

Privacy Breach Nugget: Why Documentation Matters in Privacy Breach Investigations

Investigation Tips Following the NWT Health Authority Incident

When employees make mistakes that result in a privacy breach, the custodian is held responsible to ensure that appropriate investigations are performed. This includes appropriate documentation of the privacy breach incident and sanctions when indicated.

The NWT Information and Privacy Commissioner (IPC) opened an investigation into the Northwest Territories Health and Social Services Authority (NTHSSA) after a reported privacy breach in 2024. This review aimed to assess whether the health authority had adequate safeguards in place to investigate and prevent similar future incidents.

Privacy Breach Nuggets takes real cases and turns them into practical lessons for privacy officers, clinics, and healthcare practices. Let’s dive into what went wrong, what worked, and how you can apply these insights to strengthen your privacy program.

What Happened

In April 2024, a patient filed a complaint with the nurse-in-charge at a health centre in the Northwest Territories. The complaint alleged that a clerk had inappropriately shared the patient’s personal health information with a family member during a casual conversation.

The nurse-in-charge apologized to the patient and escalated the issue to the regional manager. The clerk denied disclosing the health information, but the health authority concluded the incident had indeed occurred.

The Commissioner emphasized that there was no ill intent, stating:

“The interaction between the clerk and the sister was spontaneous and indicates a simple lapse in judgment.”

Managing the Breach

The NTHSSA’s management of the privacy breach can be examined using the 4 Step Response Plan.

Step 1 – Spot and Stop

The privacy breach was identified by the patient and reported to the nurse in charge and escalated to the regional manager.

Step 2 – Investigate

An investigation was initiated. While the clerk denied the allegation, the health authority determined a breach had occurred.

However, the Commissioner noted a serious concern: the investigation was poorly documented. If notes were taken, they could not be located or produced during the review.

Step 3 – Notify

The patient and NTHSSA (the custodian) was aware of the breach. No further notification was required.

Step 4 – Prevent the Breach from Happening Again

The health authority directed the clerk to:

  • Complete updated privacy training
  • Review the oath of office
  • Review patient confidentiality policies

No further disciplinary action was taken.

Commissioner’s Investigation

The IPC made several key recommendations:

  • Equip investigators: Ensure staff who investigate privacy breaches are properly trained and supported to conduct effective, timely, and well-documented investigations.
  • Enforce sanctions: Ensure managers understand the range of disciplinary options available and are aware of their obligation to apply reasonable disciplinary measures when warranted.
  • Annual privacy training: Reinforce the Mandatory Training Policy by ensuring all employees complete refresher privacy training every year.
  • Use real examples: Incorporate this privacy breach as a case study in future privacy training to help employees understand their obligations—at work and outside of work.

Take-Aways

Annual privacy training is not enough.

Training must include real-world, job-relevant examples and emphasize how privacy rules apply in everyday situations.

When employees make mistakes, it’s the custodian’s responsibility to lead an appropriate and well-documented investigation—not just revisit outdated training.

A strong privacy culture includes tools, training, and clarity. Equip your investigators, privacy officers, and managers with the skills they need to respond appropriately.

For more on how to manage privacy-related employee errors, listen to the podcast:

Managing Employees When They Make Mistakes – Episode #105

Need Help Training Your Privacy Team?

Ask me about Practical Privacy Officer Strategies training to strengthen your internal investigation process and build a more resilient workplace.

Reference

NWT IPC File Number: 24-950-6 on April 4, 2025Northwest Territories Health and Social Services Authority (Re), 2025 NTIPC 97 (CanLII), <https://canlii.ca/t/kc0s6>, retrieved on 2025-06-09

You May Also Be Interested In

Medical Secretary Fined for Unauthorized Access And Disclosure to Health Information

3rd Largest Fine Ever Under the HIA