Dedicated to providing the latest
HIPAA compliance news

Is Texting in Violation of HIPAA?

Is Texting in Violation of HIPAA?

Is Texting in Violation of HIPAA?

To say that texting is in violation of HIPAA is not strictly true. Depending on the content of the text message, who the text message is being sent to, or mechanisms put in place to ensure the integrity of Protected Health Information (PHI), texting can be in compliance with HIPAA in certain circumstances.

Any misunderstanding surrounding texting being in violation of HIPAA comes from the complex language used in the Privacy and Security Rules. These rules do not mention texting per se, but they do lay down certain conditions that apply to electronic communications in the healthcare industry.

So, for example, it is okay to send messages by text provided that the content of the message does not include “personal identifiers”. It is okay for a doctor to send text messages to a patient, provided that the message complies with the “minimum necessary standard”. It is also okay to send messages by text when the mechanisms are in place to comply with the technical safeguards of the HIPAA Security Rule.

HHS HIPAA Audits Are Real

Protect your Practice

Now mandatory under Section 164 308(A)(1)(II)(A)

You must now take and have on file a risk review.

Ideal for small to mid-size medical and dental practices.

Schedule a live confidential HIPAA Risk Assessment with a trained HIPAA professional.

Schedule Your Free Risk Audit Now

Confidentiality Guaranteed

The Technical Safeguards of the HIPAA Security Rule

The technical safeguards of the HIPAA Security Rule are the most relevant towards answering the question “When is texting in violation of HIPAA?” This section of the HIPAA Security Rule concerns access controls, audit controls, integrity controls, methods for ID authentication, and transmission security mechanisms when PHI is being transmitted electronically. Among the requirements are:

  • Access to PHI must be limited to authorized users who require the information to do their jobs.
  • A system must be implemented to monitor the activity of authorized users when accessing PHI.
  • Those with authorization to access PHI must authenticate their identities with a unique, centrally-issued username and PIN.
  • Policies and procedures must be introduced to prevent PHI from being inappropriately altered or destroyed.
  • Data transmitted beyond an organization´s internal firewall should be encrypted to make it unusable if it is intercepted in transit.

Standard “Short Message Service” (SMS) and “Instant Messaging” (IM) text messages often fail on all these counts. Senders of SMS and IM text messages have no control over the final destination of their messages. They could be sent to the wrong number, forwarded by the intended recipient or intercepted while in transit. Copies of SMS and IM messages also remain on service providers´ servers indefinitely.

There is no message accountability with SMS or IM text messages because anybody could pick up someone´s mobile device and use it to send a message – or indeed edit a received message before forwarding it on. For these reasons (and many more) communicating PHI by standard, non-encrypted, non-monitored and non-controlled SMS or IM is texting in violation of HIPAA.

How This Creates a Problem for Healthcare Organizations

Texting in violation of HIPAA is a major problem for healthcare organizations. Over the past few years, more and more medical professionals have come to rely on their personal mobile devices to support their workflows. Indeed, many healthcare organizations have been keen to implement BYOD policies because of the speed and convenience of modern technology and due to the cost-saving benefits.

However, with an estimated 80% of medical professionals now using personal mobile devices, there is a considerable risk of PHI being accessed by unauthorized personnel. Most messaging apps on mobile devices have no log-in or log-off requirements and, if a mobile device is lost or stolen, there is a significant risk that messages containing PHI could be released into the public domain.

The fines for a breach of HIPAA can be considerable. The fine for a single breach of HIPAA can be anything up to $50,000 – per day the vulnerability responsible for the breach is not attended to. Healthcare organizations that turn a blind eye to texting in violation of HIPAA can also face civil charges from the patients whose data has been exposed if the breach results in identity theft or other fraud.

Resolve Texting Issues with a Secure Messaging Solution

Secure messaging solutions resolve texting issues by encapsulating PHI within a private communications network that can only be accessed by authorized users. Access is gained via secure messaging apps that function in the same way as commercially available messaging apps, but with security mechanisms in place to prevent an accidental or malicious disclosure of PHI.

Once logged into the app, authorized users enjoy the same speed and convenience as SMS or IM text messaging, but are unable to send messages containing PHI outside of the communications network, copy and paste encrypted data or save it to an external hard drive. Should there be a period of inactivity on the app, the user is automatically logged off.

All activity on the communications network is monitored to ensure 100% message accountability and to prevent texting in violation of HIPAA. If a mobile device onto which the secure messaging app has been downloaded is lost or stolen, administrators have the ability to remotely wipe all content sent to or created on the app and PIN-lock it to prevent further use.

Find Out More about Compliance with HIPAA

Texting in violation of HIPAA is not the only electronic communication of PHI that healthcare organizations should be concerned about. Emails containing PHI may also be in violation of HIPAA depending on the circumstances in which they are sent and received.

You can find out more about under what circumstances the electronic communication of PHI may be in violation of HIPAA in our “HIPAA Compliance Guide” – a free, comprehensive white paper that elaborates on the HIPAA Security Rules and the conditions that have to be in place to prevent texting in violation of HIPAA.