HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

HIPAA Compliant Encryption for Text Messaging

HIPAA Compliant Encryption for Text Messaging

The Addressable Requirement of HIPAA Compliant Encryption for Text Messaging

Since the Final Omnibus Rule enacted changes to the Health Insurance Portability and Accountability Act (HIPAA) in 2013, there has been a considerable amount of discussion regarding HIPAA compliant encryption for text messaging. Much of this discussion has been caused by the language used in the technical safeguards of the HIPAA Security Rule, which describe the requirements for the encryption of PHI as “addressable” (as opposed to “required”).

Some have interpreted “addressable” as something that is not immediately “required”, whereas the U.S. Department of Health & Human Services defines “addressable” as:

  • A requirement that must be implemented unless,
  • An alternative security measure accomplishes the same purpose, or
  • The covered entity can document an acceptable reason why the requirement has not been implemented.

In respect of HIPAA compliant encryption for text messaging, there are only three possible scenarios in which the encryption of PHI would not be necessary and therefore the requirement not implemented:

  • Text messages do not contain PHI.
  • Text messages are only sent to patients (allowable under the Privacy Rule).
  • Text messages travel via an organization´s internal server and are protected by a firewall.

This means that, for a healthcare organization in which medical professionals communicate PHI with each other by text via a public service provider, HIPAA compliant encryption for text messaging is effectively a “required” requirement.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Encryption not the Only HIPAA Issue to Address

If HIPAA compliant encryption for text messaging was the only requirement of the HIPAA Security Rule, it would be a fairly simple requirement to resolve. There are plenty of free and paid-for apps that will encrypt messages sent from a desktop or mobile device, but few of them fulfil the other administrative, physical and technical safeguards of the Security Rule.

Text messages have to be monitored and accountable. Each user must authenticate their ID before accessing PHI, and mechanisms must be in place to prevent unauthorized access to PHI if, for example, a desktop computer or mobile device is left unattended. Furthermore, if a mobile device is stolen, the thief would have access to PHI in its unencrypted format.

Because of these additional issues, it is worthwhile evaluating secure messaging solutions that have been specifically designed with absolute HIPAA compliance in mind. Many healthcare organizations have already implemented secure messaging solutions in order to fulfil the requirement of HIPAA compliant encryption for text messaging, and enjoyed significant benefits as a result.

The Benefits of Secure Messaging Solutions

With HIPAA compliant encryption for text messaging, medical professionals and other members of the healthcare industry can send and receive texts containing PHI – either in the body of the message or as an attachment – with the same speed and convenience as they enjoy now.

As secure messaging solutions have mechanisms to ensure 100% message accountability, phone tag is significantly reduced. This means that medical professionals have more time available to attend to their duties and, as a consequence, productivity increases – as does the level of healthcare delivered to patients.

All activity on the secure messaging solution is monitored to ensure the integrity of PHI at rest and in transit. Should a mobile device be stolen, administrative controls allow for the remote deletion of messages and PIN-locking of the device. Other security mechanisms exist to prevent PHI from being outside an organization´s network, or saved to an external hard drive.