Is Text Messaging HIPAA Compliant?

Is Text Messaging HIPAA Compliant?

Given its ease of use, many healthcare organizations and professionals may wonder is text messaging is HIPAA compliant. Unfortunately, the answer generally is “no,” but there are workaround solutions. Although there are circumstances in which SMS text messaging can be HIPAA compliant, they are few and far between – making it safer for Covered Entities to prohibit texting Protected Health Information (PHI) rather than risk a penalty for violating HIPAA. While HIPAA does not specifically prohibit sending PHI by text, in order for texting to be HIPAA compliant, texting safeguards have to be in place to ensure the confidentiality of PHI when it is at rest and in transit. There also have to be controls in place for who can access PHI, and what authorized personnel do with PHI when they access it.

Why It’s Safer to Prohibit Texting PHI

There are many reasons why it’s safer for Covered Entities to prohibit texting PHI rather than allow it. These include – but are not limited to – the lack of access controls, the lack of audit controls, and the lack of encryption. Although encryption is an “addressable” requirement of the HIPAA Security Rule, it’s the only feasible way to ensure the security of PHI in transit.

Looking at these reasons for noncompliance in more depth, with regards to access controls, anybody can pick up an unattended mobile device and read the messages on it. Furthermore, mobile devices can be lost or stolen – which not only potentially exposes PHI to unauthorized access, but the information in the messages can be used to commit insurance fraud or identity theft.

This is why the HIPAA rules for text messaging – or any other form of electronic communication – stipulate that audit controls are necessary to record when PHI is created, modified, accessed, shared, or deleted. It´s simply not possible to implement audit trails for HIPAA compliant text messaging because the technology doesn´t exist that can audit every possible operating system.

Even if there were a way to overcome the HIPAA texting rules for access controls and audit controls, that would not make text messaging HIPAA compliant. There also has to be a way to prevent the interception of plain text messages – or extraction of plain text messages from carriers´ servers – which is why the encryption of PHI in transit is strongly recommended.

When Is Text Messaging HIPAA Compliant?

It was mentioned above there are circumstances in which SMS text messaging can be HIPAA compliant, and the most common circumstance concerns HIPAA compliant texting to patients. Texting patient information to patients is allowed by HIPAA provided the Covered Entity has warned the patient that the risk of unauthorized disclosure exists and has obtained the patient´s consent to communicate by text. Both the warning and the consent must be documented.

Other circumstances in which text messaging is HIPAA compliant include employers who provide onsite clinics as an employee health benefit, who provide self-insured health plans for employees, or who act as an intermediary between employees, healthcare providers, and health plans. This is a particularly complex area of HIPAA compliant texting, so we have compiled a separate page to explain the HIPAA texting rules in these circumstances.

It can also be the case that the U.S. Department of Health and Human Services waives the HIPAA rules for text messaging after a natural disaster such as an earthquake or hurricane. In these circumstances, some, but not all, rules related to texting patient data may be waived, and the waiver may be for a fixed time period only or apply to Covered Entities of a certain nature (i.e. healthcare providers) within a geographical location. Waivers are never comprehensive.

One final circumstance in which text messaging is HIPAA compliant is when the Covered Entity has implemented a solution such as a HIPAA compliant messaging app that has the necessary controls and encryption to support HIPAA compliant texting. Even when these apps are used, it is still necessary to comply with the Minimum Necessary Standard and the physical, technical, and administrative safeguards of the HIPAA Security Rule.

HIPAA Compliant Text Messaging Apps

HIPAA compliant text messaging apps have become to go-to solution for resolving the question of “is text messaging HIPAA compliant?” The messaging apps work in much the same way as commercial apps such as WhatsApp, Facebook Messenger, and Skype – so users are familiar with how they work – but they operate within a secure, encrypted network with access controls and audit controls to satisfy the requirements of the HIPAA Security Rule.

The latest generation of HIPAA compliant text messaging apps do more than support HIPAA compliant texting. They enable HIPAA compliant voice and video calls, allow groups to collaborate remotely in a secure environment, and facilitate the sharing of files and images with other authorized users. When integrated with EMR systems, patient information can be sent directly from the text messaging app to the EMR system – saving users valuable time.

With regards to the security and integrity of PHI, all communications are archived on a private cloud and logically separated from other data. Via user-friendly admin control panels, Covered Entities can apply granular role-based permissions and apply messaging policies. The platforms can also be used to remotely retract and delete messages if a mobile device is lost or stolen, PIN-lock apps installed on mobile devices, and extract audit reports.

Indeed, the advanced reporting capabilities of latest-generation secure messaging systems can provide valuable insights for Covered Entities . The systems often include powerful analytics packages that give Covered Entities insights into how different teams are communicating with each other and with different departments. These insights allow Covered Entities to make data-driven decisions to further optimize HIPAA compliant communication policies and workflows.