HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

JCAHO Bans Physicians from Sending SMS Text Messages to Prevent HIPAA Violations

A ban has been issued by the Joint Commission on Accreditation of Healthcare on the use of SMS text messages and said the practice of physicians and other medical professionals using text messages to communicate PHI was simply “not acceptable”.

The Health Insurance Portability and Accountability Act (HIPAA) places restrictions on the storage and transmission of patient medical records and other Protected Health Information (PHI). Doctors risk violating the HIPAA Privacy and Security Rules by sending sensitive medical information via SMS. Not only does the person concerned risk exposing patient medical records, the organization for which they work can receive a heavy fine for non-compliance.

The ban was the result of an assessment of the risks involved in sending protected information via text messages, which were deemed to be too high with this action taken to manage that risk. At present text messages are viewed as problematic to secure. The ban on text messages by medical professionals does not extend to other forms of mobile communication.

Mobile phone Apps for example can be used if they are developed to include required level of security. Provided a mobile communication channel can be made secure and the appropriate security controls are applied to protect PHI, mobile communications could greatly improve efficiency in the healthcare industry.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Alternatively data encryption can be used on all protected data both in storage and in transit. Data encryption is not the same as password protection which only secures the mobile phone messages on the sender’s and receiver’s devices. Once a message is sent it can be relayed through numerous servers and can be stored on any number of different network provider’s servers. For there it could be potentially accessed and messages could easily be intercepted during transmission.

If data is encrypted it does not matter where it is located, copied, stored or downloaded, the data is unreadable without a key to remove the encryption. If data encryption is used and a mobile communication technology can accommodate it, PHI can be transmitted via that medium.

However, unless a healthcare organization has a policy of encrypting data, text messages are unsuitable for communicating any personally identifiable information or medical information, while any form of mobile communication should be subjected to a thorough risk assessment to identify any security vulnerabilities. If it is not possible to effectively manage risk, electronic communications cannot be used to communicate PHI.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.