In modern dental practice, efficiency is the name of the game. When automated text message reminders can reduce no-show rates by over 30%, it’s tempting to adopt every new digital tool that hits the market.
Rapid technology adoption and strict compliance often require a delicate balance. While tech moves at light speed, federal legislation like HIPAA and state-specific regulations like the California Confidentiality of Medical Information Act move at a more measured pace to protect your practice and your patients.
But don’t worry—your practice doesn’t need to choose between digital advancements and compliance. Here’s what the experts at Abyde, CDA’s Endorsed Services partner for HIPAA compliance, advise to manage your risks.
HIPAA-compliant texts and role of business associate agreement
While sending a quick text from a personal cell phone is convenient, Standard SMS messaging is not inherently HIPAA-compliant. Without additional protections or patient consent, texts may not meet the technical safeguards—such as encryption and access controls—required under the HIPAA Security Rule. To protect individually identifiable health information, your practice must use communication solutions specifically designed for health care.
The Business Associate Agreement is key to mitigating risks in SMS messaging. You must have a signed BAA in place with:
- Any messaging or software provider you use in your practice.
- Any vendor that creates, receives, maintains or transmits protected health information on your behalf.
A BAA ensures the vendor is contractually and legally obligated to protect patient data and acknowledges their direct regulatory accountability to the Office for Civil Rights in the event of a breach.
Even on secure, encrypted platforms, the Minimum Necessary Standard still applies; when sending messages or leaving voicemails, include only the essential details needed for the task, such as an appointment time and date rather than a patient’s full clinical history.
A CDA resource outlines the rules on communicating by phone, text and email and provides sample language to use when patient authorization or consent is required.
Risk assessment should precede adoption of any AI tool
AI is transforming health care integrated into diagnostic imaging, administrative notetaking and more. However, innovation must not outpace oversight. Before onboarding any AI tool, perform a thorough risk assessment:
- Avoid public generative AI: Ensure staff do not input PHI into public versions of tools like ChatGPT. These “open” systems may use your data to train their models, potentially leading to the unauthorized disclosure of private information.
- Prioritize “closed” systems: Only use “Enterprise” or health care-grade AI platforms that offer a BAA and a secure, private data environment.
- The de-identification trap: While HIPAA allows for the use of “de-identified” data, meeting the legal Safe Harbor standard (removing 18 specific identifiers) is complex. Relying on specialized vendors is significantly safer than manual de-identification by staff.
The stakes are particularly high in California. Emerging regulations set strict transparency requirements for the use of generative AI in patient communications. Practices must ensure that any AI-generated clinical communications are clearly disclosed. Specifically, this notice must inform the patient that the message was generated by AI and provide clear instructions on how they can connect with a human health care professional.
Understand what’s next for your dental practice
Technology moves fast, but patient trust is built slowly through consistency and care. Whether you’re sending a simple text reminder or using advanced AI diagnostics, your responsibility to protect patient information remains the same. By embracing innovation with integrity and following the necessary guardrails when handling patient records, your practice will be both efficient and secure.
Looking to modernize your compliance program? Schedule a consultation with an Abyde compliance expert or learn more about solutions available as a benefit of CDA membership.