HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

How HIPAA Applies to Text messages and Emails Sent by Healthcare Professionals

It was not long ago that doctors were required to carry pagers and call in when their pockets started to bleep. Today, pagers have been replaced by Smartphones with communications and notifications sent via text messages, Email or telephone calls.

A number of healthcare centers and doctors have discovered that sending a quick text message can cause a HIPAA violation. If text messages or Emails are to be used, the appropriate technical safeguards must be put in place to protect the PHI of patients. When data is sent over the internet or mobile phone networks, it must be encrypted. A failure to implement these safeguards can result in huge fines being issued by the OCR.

When HIPAA regulations were first drafted the internet was still in its infancy and mobile phones, tablets and multimedia SMS messages did not exist. However, over the years, the use of electronic communication has become commonplace. Back in 2001, 258.2 million text messages were being sent every month according to data from CTIA, while just 3 years ago, that number had risen to 193.1 billion per month in the U.S alone.

The huge volume of text messages now being sent shows just how widely adopted this new form of communication has become. Doctors and healthcare professionals are finding that text messages and Email are more convenient, fast and useful than pagers ever were. However, as useful as text messaging is, it is not secure and certainly not HIPAA compliant.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The problem with text messages is the data contained is not protected and can be accessed and read by any individual who has access to either the device used to send or receive the message. The message, and any PHI it contains, will remain on both the sender’s and receiver’s device until it is manually deleted. Text messages and Emails can also remain on telecom company servers for a considerable period of time. Any PHI sent in those messages is therefore easy to intercept and can be accessed by any number of people. There is also no guarantee that the person receiving the text is actually the intended recipient.

Because of these security flaws, text messages – and other non-secure methods of electronic communication – have been banned by the Joint Commission, because of the ease at which they could cause a HIPAA breach. A fine of up to $50,000 for each single violation can be issued by the OCR. A system of sending PHI securely is therefore essential.

The only way to take advantage of the convenience of text messaging while remaining HIPAA compliant is to use a service to encrypt the messages, and a number of technology companies are now offering this service. If messages are encrypted, even if they are intercepted, data will not be viewable by anyone without a security key.

Email is permissible under HIPAA regulations, although in order to maintain HIPAA compliance and keep PHI secure, a number of security measures must be employed. This can similarly involve encryption, although under current regulations, this is not a requirement.

While less common than text messages and Email, social media platforms are used by many patients, in particular young adults and teenagers. Communication with patients via Facebook, Twitter and other platforms is possible, although it is essential that healthcare professionals understand that not only is social media unsecure, but also that any information sent via these networks is automatically in the public domain.

When doctors receive requests for information via social media channels, it may suggest that the patient is comfortable with having their PHI sent via social media; however PHI must never be sent via these communication channels, even if requested by the patient.

These new forms of communication are clearly here to stay, and while healthcare professionals and patients can benefit greatly from the convenience and speed of electronic communication methods, it is essential that doctors and other healthcare professional understand the security flaws that exist.

Legislation is likely to change to cover text messages and electronic communications in the future, In the meantime, extreme care must be taken to ensure that HIPAA Privacy Rules are not accidentally violated.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.