HIPAA Texting Policy

HIPAA Texting Policy

What is a HIPAA Texting Policy?

A HIPAA texting policy is a document that informs the employees of a Covered Entity or Business Associate the circumstances under which it is allowable to send Protected Healthcare Information (PHI) by SMS text. The document should be compiled only when a risk assessment has been conducted to identify potential risks to the integrity of PHI and its possible unauthorized disclosure.

The document should stipulate under what circumstances it is allowable to communicate PHI by text, who texts containing PHI can be sent to, guidelines for the way in which PHI should be communicated by text (i.e. in compliance with the Minimum Necessary Standard), and what sanctions will be applied if the HIPAA texting policy is not adhered to.

The purpose of the document is to make sure everybody who has access to PHI is fully aware of their responsibilities to safeguard its integrity. HIPAA is an exceptionally complex piece of legislation, and it is important that potential misinterpretations of the legislation are not allowed to develop into bad practices.

A HIPAA Policy Should be Kept Separate from any other Healthcare Texting Policy

To avoid confusion with any other healthcare texting policy, HIPAA policies should be kept separate from other organizational policies. For example, a healthcare organization may have a texting policy in place for sending appointment reminders or public health alerts to an opted-in community database.

Naturally, a healthcare texting policy of this nature should include a clause that no PHI should be included in any text messages (ideally with a definition of PHI and a list of prohibited Personal Identifiable Information); but, the policy for texting appointment reminders and public health alerts should reflect the task for which the policy has been developed.

However, it can still be a good idea to have a healthcare texting policy reviewed by a HIPAA compliance office. A compliance officer may be able to identify any areas in which patient confidentiality is exposed to risk, or suggest improvements to the policy that will assist with workflows and productivity.

Issues with Enforcing HIPAA Compliant Texting Policies

There can be issues with enforcing HIPAA compliant texting policies. Not every healthcare organization or covered entity has a mechanism in place for monitoring access to and communication of PHI, and many medical facilities still allow their employees to send text messages containing PHI from personal mobile devices without the necessary safeguards in place.

This means that any HIPAA texting policy could be unenforceable, unless it completely prohibits the use of text messages in the workplace. However, text messaging has been seen to accelerate the flow of communication and enhance productivity in medical environments, so completely prohibiting the use of text messages is likely to be counter-productive.

A further issue may occur if an employee were to lose their mobile device or it was stolen. A significant number of PHI breaches are the result of lost and stolen mobile devices and, with no way to remotely delete text messages received on a device, healthcare organizations could be exposed to the possibility of regulatory fines and civil action if the loss or theft resulted in an unauthorized disclosure of PHI.

How Secure Messaging Overcomes these Issues

A solution to these problems is for healthcare organizations to implement a secure messaging platform. Secure messaging platforms create a private network that encapsulate text messages, allows for the monitoring of user activity, and have administrative controls to remotely retract and delete messages on lost or stolen devices. Other security safeguards include role-based permissions to control who has access to PHI and automated policy enforcement to prevent authorized users violating HIPAA texting policies in error.

The platform enables authorized users to access the private network only after they have authenticated their identity with a centrally-issued username and PIN. Thereafter, authorized users can send and receive text messages containing PHI with the same speed and convenience as standard, non-compliant SMS text messages – thus maintaining the secure flow of communication in a healthcare environment while still enhancing productivity.

Other features on the platform help healthcare organizations comply with the administrative, physical and technical requirements of the HIPAA Security Rule, and identify that their policies for HIPAA compliance are effective. However, the implementation of a secure messaging platform does not replace the requirement to produce a HIPAA texting policy. It provides a mechanism for monitoring user activity and thus make HIPAA compliant texting policies enforceable.