HIPAA Texting Policy

HIPAA Texting Policy

What is a HIPAA Texting Policy?

A HIPAA texting policy is a document that should be compiled once a risk assessment has been conducted to identify any vulnerabilities in the way PHI is currently communicated between employees, medical professionals and Business Associates.

The document should stipulate under what circumstances it is allowable to communicate PHI by text, guidelines for the way in which PHI should be communicated by text, and what sanctions will be applied if the HIPAA texting policy is not adhered to.

The purpose of the document is to make sure everybody who has access to PHI is fully aware of their responsibilities to safeguard its integrity. HIPAA is an exceptionally complex piece of legislation, and it is important that potential misinterpretations of the legislation are not allowed to develop into bad practices.

Issues with HIPAA Compliant Texting Policies

There can be issues with HIPAA compliant texting policies. Not every healthcare organization or covered entity has a mechanism in place for monitoring access to and communication of PHI, and many medical facilities still allow their employees to send text messages containing PHI from personal mobile devices without the necessary safeguards in place.

This means that any HIPAA texting policy would be unenforceable, unless it completely prohibited the use of text messages in the workplace. However, text messaging has been seen to accelerate the communications cycle and enhance productivity in a medical environment, so completely prohibiting the use of text messages is likely to be counter-productive.

A further issue may occur if an employee were to lose their mobile device or it was stolen. A significant number of PHI breaches are the result of lost and stolen mobile devices and, with no way to remotely delete messages received on the device, healthcare organizations would be exposed to regulatory fines and civil action if the loss or theft resulted in the unauthorized access of PHI.

How Secure Messaging Overcomes the Issues

A solution to these problems is for healthcare organizations to implement a secure messaging platform. Secure messaging platforms create a private network that encapsulate text messages, allows for the monitoring of user activity, and has administrative controls to remotely retract and delete messages on lost or stolen devices.

The platform enables authorized users to access the private network only after they have authenticated their identity with a centrally-issued username and PIN. Thereafter, authorized users can send and receive messages containing PHI with the same speed and convenience as standard, non-compliant SMS text messages.

Other features on the platform help healthcare organizations comply with the administrative, physical and technical requirements of the HIPAA Security Rule. However, the implementation of a secure messaging platform does not replace the requirement to produce a HIPAA texting policy. It provides a mechanism for monitoring user activity and thus make HIPAA compliant texting policies enforceable.

Find Out More about Policies for HIPAA Compliance

A HIPAA texting policy is just one of a number of policies that have to be developed by a healthcare organization in order to be compliant with HIPAA. Security management policies, information access policies, security incident policies and contingency plans are all required under the HIPAA Security and Privacy Rules.

You can read more about these as well as finding more information about HIPAA compliant texting policies by downloading our free “HIPAA Compliance Guide” – a comprehensive white paper that elaborates on the administrative, physical and technical requirements of the HIPAA Security Rule and how potential issues can be overcome with secure messaging.