HIPAA does not outright forbid sending PHI by text, but – in order for texting to be HIPAA compliant texting – security measures must be in place to ensure the confidentiality of PHI when it is at rest and on the move. There also has to be a strategy in place to manage who can access PHI, and what authorized personnel do with PHI when they access it.
Why It Is Safer to Forbid Texting PHI
There are many reasons why it is more secure for Covered Entities to prohibit texting PHI rather than permit it. These include – but are not restricted to – the lack of access controls, the lack of audit controls, and the lack of encryption – which although an “addressable” requirement of the HIPAA Security Act, is about the only possible way to ensure the security of PHI on the move.
Reviewing these reasons in more depth, with regards to access controls, anybody can pick up an unattended mobile device and read the messages it contains. Additionally, mobile devices can be lost or stolen – which not only potentially exposes PHI to unauthorized access, but the data in the messages can be used to commit insurance fraud or identity theft.
This is why the HIPAA regulations for text messaging – or any other form of electronic communication – state that audit controls are necessary to record when PHI is developed, modified, accessed, shared, or erased. It is simply impossible to implement audit trails for HIPAA compliant text messaging because the technology does not exist that can audit every possible operating system.
Even if there was a way to get around the HIPAA texting rules for access controls and audit controls, that would not make text messaging HIPAA compliant. There also has to be a way to stop the interception of plain text messages – or extraction of plain text messages from carriers’ servers – which is why the encryption of PHI in transit is strongly advised.
When Is Text Messaging HIPAA Compliant?
It was referred to above there are circumstances in which SMS text messaging can be HIPAA complaint, and the most common circumstance worries in relation to HIPAA compliant texting to patients. Texting patient information to patients is permitted by HIPAA provided the Covered Entity has warned the patient that the risk unauthorized disclosure exists and has obtained the patient’s permission to communicate by text. Both the warning and the consent must be recorded.
Other instances in which text messaging is HIPAA compliant include employers who supply onsite clinics as an employee health benefit, who provide self-insured health plans for employees, or who act as an intermediary between workers, healthcare providers, and health plans.
It can also be the case the U.S. Department of Health and Human Services waives the HIPAA rules for text messaging after a natural disaster like an earthquake or hurricane occurring. In these instances it may be some, but not all, rules relating to texting patient data, and the waiver may be for a fixed time period only or apply to Covered Entities of a certain nature (i.e. healthcare providers) within a geographical location. Waivers are never thorough.
One final instance in which text messaging is HIPAA compliant is when the Covered Entity has put in place a solution such as a HIPAA compliant messaging app that has the necessary controls and encryption to support HIPAA compliant texting. Even when these apps are deployed, it is still necessary to adhere with the Minimum Necessary Standard and the physical, technical, and administrative security measures of the HIPAA Security Rule.
HIPAA Compliant Text Messaging Apps
HIPAA compliant text messaging apps have become to go-to way of resolving the question of “is text messaging HIPAA compliant?” The messaging apps work in much the same manner as commercial apps such as WhatsApp, Facebook Messenger, and Skype – so users are familiar with how they operate – but they operate within a safe, encrypted network with access controls and audit controls to meet the requirements of the HIPAA Security Rule.
The most recent generation of HIPAA compliant text messaging apps do more than support HIPAA compliant texting. They allow HIPAA compliant voice and video calls, allow groups to work together remotely in a secure environment, and facilitate the sharing of files and images with other authorized users. When integrated with EMR systems, patient information can be sent straight from the text messaging app to the EMR system – saving users important time.
In relation to the security and integrity of PHI, all communications are saved on a private cloud and logically separated from other data. Via user-friendly admin control panels, Covered Entities can use granular role-based permissions and use messaging policies. The platforms can also be used to remotely erase and delete messages if a mobile device is lost or stolen, PIN-lock apps downloaded on mobile devices, and extract audit reports.
Indeed, the advanced reporting capabilities of most recent generation secure messaging systems can supply valuable insights for Covered Entities . The systems often include strong analytics packages that give Covered Entities insights into how different teams are communicating with each other and with separate departments. These insights permit Covered Entities to make data-driven decisions to further optimize HIPAA compliant communication policies.