Is Text Messaging HIPAA Compliant?

Although there are circumstances in which SMS text messaging can be HIPAA complaint, text messaging HIPAA compliant is generally not thought of as a legally acceptable form of sending PHI.

HIPAA does not outright ban sending PHI by text, but – in order for texting to be HIPAA compliant texting – safeguards have to be in place to guarantee the confidentiality of PHI when it is at rest and in transit. There also has to be controls in place for who can access PHI, and what authorized individuals do with PHI when they view it.

Why It Is Safer to Ban Texting PHI

There are many reasons why it is more secure for Covered Entities to prohibit texting PHI rather than permit it. These include – but are not limited to – the absence of access controls, the lack of audit controls, and the lack of encryption – which although an “addressable” obligation of the HIPAA Security Act, is about the only sensible way to ensure the security of PHI in transit.

Reviewing these reasons in more depth, with regards to access controls, anybody can pick up an unattended mobile device and read the messages it contains. Furthermore, mobile devices may be lost or stolen – which not only potentially exposes PHI to unauthorized access, but the data in the messages can be used to carry out insurance fraud or identity theft.

This is why the HIPAA rules for text messaging – or any other method of electronic communication – state that audit controls are a requirement to record when PHI is created, changed, accessed, shared, or removed. It’s simply not possible to put in place audit trails for HIPAA compliant text messaging because the technology does not exist that can audit every possible operating system.

Even if there was a way to get around the HIPAA texting rules for access controls and audit controls, that would not mean text messaging is HIPAA compliant. There also has to be a way to stop the interception of plain text messages – or extraction of plain text messages from carriers’ servers – which is why the encryption of PHI in transit is strongly approved.

When Is Text Messaging deemed HIPAA Compliant?

It was mentioned above there are time when SMS text messaging can be HIPAA compliant, and the most common circumstance concerns HIPAA compliant texting to patients. Sending patient information to patients suing Text Messages is allowed by HIPAA provided the Covered Entity has warned the patient that the risk unauthorized disclosure exists and has received the patient’s consent to communicate by text. Both the warning and the consent must be recorded.

Other circumstances in which text messaging is HIPAA compliant include employers who supply onsite clinics as an employee health benefit, who supply self-insured health plans for employees, or who act as an intermediary between workers, healthcare providers, and health plans. This is a particularly complicated area of HIPAA compliant texting, so we have compiled a separate page to explain the HIPAA texting rules in these instances.

It can also be the case the U.S. Department of Health and Human Services waives the HIPAA rules for text messaging after a natural disaster such as an earthquake or typhoon. In these instances it may be some, but not all, rules relating to texting patient data, and the waiver may be for a fixed time period only or apply to Covered Entities of a certain manner (i.e. healthcare providers) within a geographical location. Waivers are never all-inclusive.

One final instance in which text messaging is HIPAA compliant is when the Covered Entity has created a solution such as a HIPAA compliant messaging app that has the necessary controls and encryption to support HIPAA compliant texting. Even when these apps are deployed, it is still necessary to adhere with the Minimum Necessary Standard and the physical, technical, and administrative security features of the HIPAA Security Rule.

HIPAA Compliant Text Messaging Apps

HIPAA compliant text messaging apps have become to main solution for settling the question of “is text messaging HIPAA compliant?” The messaging apps work in much the same way as commercial apps such as WhatsApp, Facebook Messenger, and Skype – so users are knowledgeable with how they operate – but they run within a secure, encrypted network with access controls and audit controls to satisfy the requirements of the HIPAA Security Rule.

The most recent generation of HIPAA compliant text messaging apps do more than support HIPAA compliant texting. They allow HIPAA compliant voice and video calls, allow groups to work remotely in a secure environment, and facilitate the sharing of files and images with other authorized users. When connected with EMR systems, patient information can be sent straight from the text messaging app to the EMR system – saving users important time.

In relation to the security and integrity of PHI, all communications are held on a private cloud and logically separated from other data. Via user-friendly admin control panels, Covered Entities can use granular role-based permissions and apply messaging policies. The platforms can also be used to remotely erase messages if a mobile device is lost or stolen, PIN-lock apps installed on mobile devices, and download audit reports.

Indeed, the advanced reporting functions of latest generation secure messaging systems can give valuable insights for Covered Entities . The systems often include strong analytics packages that give Covered Entities insights into how different teams are communicating with each other and with separate departments. These insights mean that Covered Entities to make data-driven decisions to further strengthen HIPAA compliant communication policies and processes.

Daniel Lopez

Daniel Lopez is the HIPAA expert behind HIPAA Coach. Daniel has over 10 years experience as a HIPAA trainer and has developed deep experience in teaching HIPAA to healthcare professionals. Daniel has contributed to numerous publications including expert articles on The HIPAA Guide. Daniel is currently a staff writer on HIPAA at the Healthcare IT Journal. Daniel was a subject matter expert for ComplianceJunction's online HIPAA training. Daniel's academic background in Health Information Management is the foundation of his HIPAA expertise. Daniel's primary professional interest is protecting patient privacy, which he believes is the core of the HIPAA regulations and the best route to HIPAA compliance. You can reach Daniel on the contact page of HIPAA Coach and follow him on Twitter