Dedicated to providing the latest
HIPAA compliance news

HIPAA Compliant Encryption for Text Messaging

HIPAA Compliant Encryption for Text Messaging

The Addressable Requirement of HIPAA Compliant Encryption for Text Messaging

Since the Final Omnibus Rule enacted changes to the Health Insurance Portability and Accountability Act (HIPAA) in 2013, there has been a considerable amount of discussion regarding HIPAA compliant encryption for text messaging. Much of this discussion has been caused by the language used in the technical safeguards of the HIPAA Security Rule, which describe the requirements for the encryption of PHI as “addressable” (as opposed to “required”).

Some have interpreted “addressable” as something that is not immediately “required”, whereas the U.S. Department of Health & Human Services defines “addressable” as:

  • A requirement that must be implemented unless,
  • An alternative security measure accomplishes the same purpose, or
  • The covered entity can document an acceptable reason why the requirement has not been implemented.

In respect of HIPAA compliant encryption for text messaging, there are only three possible scenarios in which the encryption of PHI would not be necessary and therefore the requirement not implemented:

  • Text messages do not contain PHI.
  • Text messages are only sent to patients (allowable under the Privacy Rule).
  • Text messages travel via an organization´s internal server and are protected by a firewall.

This means that, for a healthcare organization in which medical professionals communicate PHI with each other by text via a public service provider, HIPAA compliant encryption for text messaging is effectively a “required” requirement.

Encryption not the Only HIPAA Issue to Address

If HIPAA compliant encryption for text messaging was the only requirement of the HIPAA Security Rule, it would be a fairly simple requirement to resolve. There are plenty of free and paid-for apps that will encrypt messages sent from a desktop or mobile device, but few of them fulfil the other administrative, physical and technical safeguards of the Security Rule.

Text messages have to be monitored and accountable. Each user must authenticate their ID before accessing PHI, and mechanisms must be in place to prevent unauthorized access to PHI if, for example, a desktop computer or mobile device is left unattended. Furthermore, if a mobile device is stolen, the thief would have access to PHI in its unencrypted format.

Because of these additional issues, it is worthwhile evaluating secure messaging solutions that have been specifically designed with absolute HIPAA compliance in mind. Many healthcare organizations have already implemented secure messaging solutions in order to fulfil the requirement of HIPAA compliant encryption for text messaging, and enjoyed significant benefits as a result.

The Benefits of Secure Messaging Solutions

With HIPAA compliant encryption for text messaging, medical professionals and other members of the healthcare industry can send and receive texts containing PHI – either in the body of the message or as an attachment – with the same speed and convenience as they enjoy now.

As secure messaging solutions have mechanisms to ensure 100% message accountability, phone tag is significantly reduced. This means that medical professionals have more time available to attend to their duties and, as a consequence, productivity increases – as does the level of healthcare delivered to patients.

All activity on the secure messaging solution is monitored to ensure the integrity of PHI at rest and in transit. Should a mobile device be stolen, administrative controls allow for the remote deletion of messages and PIN-locking of the device. Other security mechanisms exist to prevent PHI from being outside an organization´s network, or saved to an external hard drive.

To find out more about HIPAA compliant encryption for text messaging, and the benefits of secure messaging solutions, you are invited to download and read our “HIPAA Compliance Guide”. With HIPAA compliant encryption for text messaging likely to feature in the next OCR audit, it is best to be fully informed of the requirements before it becomes a more serious issue than it need be.