HIPAA Text Messaging – How Compliant is it?

HIPAA texting messaging doctor and cell phone

Since so many people use text messaging, healthcare organizations may ask, “Is texting HIPAA compliant? And if so, how can I ensure I’m doing it right?”

Although the government has never written HIPAA laws specifically for texting or emailing PHI (Protected Health Information), a covered entity must safeguard PHI against reasonably foreseen threats under the HIPAA Security Rule.

HIPAA is a federal law that requires healthcare institutions to safeguard a patient’s protected health information (PHI). It intends to prevent the disclosure of a patient’s protected data without their consent. The government encourages healthcare organizations to set up voluntary HIPAA and compliance plans. Several types of healthcare providers receive guidance from the Department of Health and Human Services (HHS) on HIPAA compliance, including hospitals, home health agencies, clinical labs, physicians, and other types of providers. There are many challenges that healthcare providers face when it comes to ensuring HIPAA compliance.


HIPAA and Text Messaging

Hospitals, physicians, and other covered entities must enact safeguards to protect the confidentiality of each patient’s PHI. When it comes to technology, the specific protocols are left up to the discretion of each entity, as each environment is unique and requires special tactics.

Although there are some high-tech solutions that can support HIPAA-compliant texting, some covered entities choose to avoid it altogether. This is simply because it’s safer to discourage activity around HIPAA and text messages, rather than risk having a serious HIPAA breach.

It’s important to keep in mind that HIPAA doesn’t disallow sending PHI by text. However, organizations must put texting safeguards in place to ensure privacy in order to be compliant with HIPAA. In other words, guidelines and controls must govern who can access the PHI and what they are authorized to do with it once accessed.


Challenges of Compliant HIPAA Text Messaging

The Security Rule can present a huge challenge to providers, especially considering that in many organizations, providers use different operating systems and various devices. This makes it difficult to maintain visibility and control.

Plus, most healthcare workers, like the nursing staff, use their personal devices to manage daily workflow tasks, which presents a real challenge. Without a plan for sending HIPAA-compliant text messages, it could result in a huge disruption to the communication process, particularly in large healthcare organizations.


Why HIPAA Text Messaging May be Banned

Many covered entities prefer to prohibit texting PHI altogether. There are a number of reasons for this, including:

  • Lack of access and audit controls.
  • Lack of encryption capability. (While the HIPAA Security Rule guidelines are not specific, encryption is the best practice for protecting PHI in transit.)

The Security Rule defines access in § 164.304 as “the ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource. (This definition applies to “access” as used in this subpart, not as used in subpart E of this part [the HIPAA Privacy Rule]).” Access controls provide users with rights and/or privileges to access and perform functions using information systems, applications, programs, or files. Access controls should enable authorized users to access the minimum necessary information needed to perform job functions. Rights and/or privileges should be granted to authorized users based on a set of access rules that the covered entity is required to implement as part of § 164.308(a)(4), the Information Access Management standard under the Administrative Safeguards section of the Rule.

There is vital concern regarding non-compliance details in regards to access controls. For example, if you leave a mobile device unattended, anyone can pick it up and access it. In fact, over half (52%) of mobile devices are stolen from the workplace. In this scenario, someone could easily access  PHI that is stored on a staff member’s phone. Allowing patient data, such as demographics,  to be used for unlawful practices like identity theft or insurance fraud.

HIPAA and texting or other types of e-communications, specify that audit controls must be in place to document whenever PHI is modified, accessed, shared, or deleted.

HIPAA compliant audit controls aim to provide a layer of protection for data breach scenarios, specifically for loss or stolen mobile devices. However, there are no proven HIPAA-compliant text message audit controls that currently exist for organizations that allow workforce members to use personal mobile devices.


HIPAA and Texting Compliance Solutions

When it comes to HIPAA and text messages, there are mobile data security options that can help providers ensure compliance. They can create private communication networks within a specific healthcare organization to implement safeguards. Only authorized personnel within the organization can access these private networks. Apps for secure messaging can be downloaded for any operating system or mobile device. This type of app utilizes a text-like interface created to have user-friendly HIPAA texting.

The main difference between a commercially available app and a secure messaging app is that only those authorized to use the secure app can sign in by authenticating their ID and logging in using their official username and PIN when beginning each user session. After the mobile device is left unattended for a specific period, the user is automatically logged off as a secondary precaution. This helps to prevent unofficial access to the system when a person engages in secure HIPAA texting.

HIPAA-compliant SMS text messaging that is used to send data to patients is only allowed when the covered entity has informed the patient of the risk of unauthorized disclosure linked with the use of mobile devices and other types of electronic communication when conveying PHI-related messages. The patient must recognize the risk and give consent to receive text messages. The warning process and the consent received must be documented in the patient record.

The covered entity must also employ a solution (such as a HIPAA-compliant messaging app) that has all of the crucial tools (such as encryption and other controls) to support HIPAA-compliant text messaging. When using these apps, the covered entity must comply with the Minimum Necessary Standard and each of the safeguards spelled out in the 2013 HIPAA Security Rule.

An important exception: It’s important to note that after a tornado, earthquake, or another type of natural disaster, HHS may waive the HIPAA Security Rules for text messaging for a specific period of time. This waiver only applies to specific types of covered entities (e.g., healthcare providers) in a particular geographic region. This type of waiver is never all-inclusive. Knowing how outside forces may affect acceptable practices will help providers establish optimal procedures.


What Information Does the HIPAA Law Protect?

The main purpose of PHI under HIPAA law is to ensure that a patient’s health status is safe. This covers data created, collected, sent, or stored in the process of providing or billing for healthcare services, or for completing healthcare operations. A HIPAA-compliant entity is one that ensures that patient data is safe.

Types of PHI include data about:

  • Diagnoses.
  • Treatments.
  • Medical tests.
  • Prescriptions.
  • Demographics (birth date, gender, ethnicity,
    address, etc.).
  • Phone numbers.
  • Medical records number.
  • Facial photos.
  • And more.


The HIPAA Privacy and Security Rules

To be more specific, sending PHI via HIPAA texting when using an unsecured electronic format was deemed unlawful in 2013. This was when the government updated HIPAA laws and made changes to the HIPAA Privacy and Security Rules. They enacted some specific safeguards into the 2013 Security Rule regarding HIPAA-compliant PHI being sent via HIPAA text messaging.

These laws mandate that there must be processes that:

  • Control how people access PHI.
  • Manage how they utilize it.
  • Ensure that the people sending and receiving text messages are who they say they are.

The 2013 Security Rule also requires that when PHI is transmitted outside of the organization via HIPAA text messaging, or any other form of transmission, the data must be encrypted. Encryption ensures the message is illegible should an unapproved party intercept the HIPAA compliant text message.


Understanding the Requirements

In the digital-savvy world of today, many patients and providers are comfortable using text messages as their main form of communication. However, HIPAA requires organizations to take a more cautious and strategic approach to patient privacy. Understanding the laws surrounding PHI and HIPAA text messaging will help organizations stay compliant and successful.

When you need proven expertise and performance

Cindy Winn-Garnigan, MBA, CHSP

Ms. Cindy Winn has over 20 years of healthcare experience and expertise in operations, project management, and is certified as a HIPAA Security Professional (CHSP).