HIPAA Text Messaging Policy

HIPAA Text Messaging Policy

Why You Need a HIPAA Text Messaging Policy

The requirement for healthcare organizations and other covered entities to implement a HIPAA text messaging policy can be found in the administrative safeguards of the HIPAA Security Rule. Under §164.308(a)5(i) – commonly known as the “Workforce Training and Management” section – the administrative safeguards stipulate that covered entities “implement a security awareness and training program for all members of its workforce.”

“Security awareness” covers a wide range of potential issues, but none is more important than the security of Protected Health Information (PHI) – particularly when it is being transmitted electronically. Practically the entirety of the HIPAA Security Rule is dedicated to safeguarding PHI, with various measures required to prevent unauthorized access to confidential data. One area of the Security Rule in particular – §164.312(e)1 – is dedicated to transmission security.

This section stipulates that covered entities must “implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.” Due to the growth of BYOD policies and the volume of medical professionals that use personal mobile devices to manage their workflows, texting has become the number one channel of electronic communication for transmitting PHI.

Consequently a HIPAA text messaging policy is required so that medical professionals – and other employees of a covered entity – are aware of under what circumstances it is permissible to text PHI, and how the texting of PHI should be conducted. Because of the consequences of a breach of PHI, a HIPAA text messaging policy should also contain details of the sanctions that will be applied to any employee who violates the covered entity’s policies and procedures.

Aren’t These Safeguards “Addressable” Rather Than “Required”?

Although the safeguards relating to security awareness and the transmission of PHI are described as “addressable” requirements in the HIPAA Security Rule, there is often a misunderstanding about what “addressable” actually means. “Addressable” requirements are those which are “required” unless:

  1. a) One or more alternate security measures are implemented that accomplish the same goal, or
  2. b) A risk assessment has been conducted and the security measure is not necessary to safeguard the integrity of PHI.

An example of an addressable requirement is the encryption of PHI in transit. In theory PHI should always be encrypted in transit so that, if a message is intercepted over a public network, its contents are “undecipherable, unreadable and usable”. However, if a healthcare organization had an internal communications network run on a server that was sufficiently protected by a firewall – and communications never went beyond that firewall – the security measure of encryption would not be necessary to protect the integrity of PHI.

Text messages within the healthcare industry are primarily sent over public networks and public Wi-Fi networks – effectively making the implementation of security measures to protect the content of text messages a “required” safeguard. Along with this responsibility to safeguard PHI in transit comes the responsibility to train staff on the measures introduced to protect the content of text messages – whatever they may be. Consequently there is the need to devise, implement and enforce a HIPAA text messaging policy.

What Should be Contained in a HIPAA Text Messaging Policy?

The contents of a HIPAA text messaging policy will be determined by various factors. The nature of healthcare provided, the size of a healthcare organization and the organization´s reliance on texts as a form of communication are each factors that would influence the contents of a HIPAA text messaging policy.

Ideally, healthcare organizations should gain a thorough understanding of the HIPAA requirements for communicating PHI electronically (including emails as well as text messages) and devise a HIPAA text messaging policy based on their own individual requirements and vulnerabilities.