HIPAA Laws and Texting

HIPAA Laws and Texting

What HIPAA Says about Texting

There is a fair amount of ambiguity about HIPAA laws and texting. Some IT professionals believe that texting Protected Health Information (PHI) is acceptable in certain circumstances, whereas others argue that texting should never be used to communicate PHI.

The truth of the matter is that texting is not mentioned in HIPAA at all – only that certain administrative, physical and technical safeguards have to be in place to ensure the integrity of PHI when it is “in transit” – i.e. being communicated by any electronic method.

The nature of the administrative, physical and technical safeguards would suggest that “Short Message Service” (SMS) texts and “Instant Message” (IM) texts are not HIPAA compliant. This is because the sender of the message does not have absolute control over third party access to the message once it has left their mobile device.

What Safeguards have to be Put in Place?

Before looking at what safeguards have to be put in place to resolve conflicts between HIPAA laws and texting, let´s first look at some scenarios that explain why they are required.

When a text message containing PHI leaves a mobile device, there is the possibility that it could be sent to the wrong number, that the recipient of the message subsequently loses their mobile phone, or that the text message is intercepted in transit. It should also be considered that copies of SMS and IM messages remain indefinitely on service providers´ servers.

To overcome these potential breaches of PHI, the HIPAA laws about communicating PHI state (among other guidelines) that there should be a system in place whereby messages can be remotely retracted and deleted. To prevent unauthorized access to PHI in transit or while a message is stored on a server, the content of the message and any attachments should be encrypted.

Although apps now exist that enable you to retract a sent message, they are not much use if it is your mobile device that has been lost. Apps also exist that allow you to encrypt your text messages. However, in order for this to be effective in a healthcare environment, everybody would have to be using the same encryption software, and the decryption key would have to be maintained on a different device.

Furthermore, other regulations concerning HIPAA laws and texting PHI stipulate that there has to be a mechanism in place to authenticate the identity of the message sender and the recipient. There must also be a system of message accountability in place, and all transmissions of PHI have to be monitored and recorded. This means that every text message containing PHI has to be logged.

A Solution to the HIPAA Laws and Texting Issues

To resolve any ambiguity about HIPAA laws and texting, it is advisable for healthcare organizations to investigate secure messaging solutions. Secure messaging solutions have all the safeguards in place to ensure compliance with the HIPAA laws for communicating PHI without sacrificing the speed and convenience of SMS and IM.

The solutions work by creating a private communications network, through which authorized users can send and receive PHI either via a desktop computer or via apps that can be downloaded onto any mobile device. Activity on the network is monitored by a secure messaging platform – which also produces access logs and audit reports to assist with the preparation of risk assessments – while security mechanisms allow administrators to remotely delete PHI from a lost or stolen mobile device.