Is Text Messaging HIPAA Compliant?

Is Text Messaging HIPAA Compliant?

Is Text Messaging HIPAA Compliant?

The answer to the question “is text messaging HIPAA compliant” is generally “no”. Although HIPAA does not specifically prohibit communicating Protected Health Information (PHI) by text, a system of administrative, physical and technical safeguards has to be in place to ensure the confidentiality and integrity of PHI when it is “in transit” – i.e. being communicated between medical professionals or covered entities.

Traditional SMS messages – the type of message typically sent from one mobile device to another – are not HIPAA compliant. This is because they lack encryption, there are no safeguards to prevent a text message being sent to a wrong number, text messages are stored indefinitely on service providers´ servers, and text messages sent in plain text can be intercepted.

Furthermore, mobile devices containing PHI are frequently lost or stolen – potentially exposing PHI to unauthorized access if data on the devices is read. Consequently, without taking appropriate precautions to ensure the confidentiality and integrity of PHI in transit, the only way an affirmative answer could be given to the question “is text messaging HIPAA compliant” is if the text message did not contain any PHI at all.

HIPAA Compliant Messaging

SMS messages are only one text messaging option. There are now many text messaging platforms in use such as Facebook Messenger, Skype, and WhatsApp. In the case of the latter, all messages are encrypted, which satisfies certain HIPAA compliant messaging requirements, but not all of them.

In the case of WhatsApp, messages are encrypted on the sender’s phone and remain encrypted until they arrive at the receiver’s device. The messages are sent through a secure, encrypted tunnel, satisfying HIPAA encryption requirements.

However, ePHI sent via WhatsApp is not stored in a secure manner and the access controls used are not up to the standards required by HIPAA. For example, if you were to lose your phone, unless other security controls have been applied to the device, an unauthorized individual would be able to access your messages, and any ePHI in your WhatsApp account. HIPAA compliant messaging is not only about encrypting data in transit. There must be appropriate access controls, audit controls, and secure storage for messages containing ePHI.

How to Ensure the Integrity of PHI in Transit

A solution to the “is text messaging HIPAA compliant” issue is to implement a secure messaging system. Secure messaging works in a similar way to text messaging inasmuch as users can type out a message, add an attachment and send it to a colleague. However, security mechanisms within the secure messaging solution provide the necessary safeguards to ensure the integrity of PHI in transit.

Messages are encrypted, they can only be sent to colleagues within a covered entity´s communications network, the messages are archived on a separate, secure server and administrative controls enable the remote retraction and deletion of messages if a mobile device is lost or stolen. Due to the ID authentication process, administrators can also PIN-lock apps installed on a mobile device.

Other mechanisms exist to assign message lifespans to communications sent through a secure messaging solution, while users are automatically logged out of their secure messaging apps after a period of inactivity to prevent authorized access to PHI. All user activity is monitored and logged to oversee how users are communicating PHI in text messages and to ensure that secure messaging policies are being adhered to.

The Benefits of HIPAA Compliant Text Messaging

In addition to ensuring the integrity of PHI in transit, there are significant benefits associated with implementing a solution to resolve the issue of “is text messaging HIPAA compliant”. The monitoring of user activity plus features such as delivery notifications and read receipts ensure message accountability. This in turn reduces phone tag and accelerates the communication cycle.

Being able to send and receive PHI “on the go” assists on-call doctors and community nurses, while in-house physicians can also receive lab reports, wound images and test results with secure messaging. A group messaging feature fosters collaboration, and can be used to accelerate hospital admissions and patient discharges – saving time, increasing productivity and enhancing patient satisfaction.

Further benefits can result from the integration of a secure messaging solution with an EMR. The task of updating patient notes can be shared among medical professionals, consultants can prioritize their workflows by organizing their EMR alerts and – according to study conducted in Philadelphia – “advanced EMRs” reduce medication errors (30%) and patient safety incidents (27%).

Further Information about Text Messaging and HIPAA Compliance

This article has only touched on the guidelines used to answer the question “is texting HIPAA compliant”. For further information about the administrative, physical and technical safeguards that have to be in place to ensure the integrity of PHI in transit, you are invited to download and read our “HIPAA Compliance Guide”.

Our guide elaborates on the precautions that healthcare organizations and covered entities should take to prevent unauthorized access to PHI – not only in transit, but also “at rest” – and includes content about the features and benefits of secure messaging solutions to replace unsecure communication channels.