JCAHO Bans Physicians from Sending SMS Text Messages to Prevent HIPAA Violations

Share this article on:

A ban has been issued by the Joint Commission on Accreditation of Healthcare on the use of SMS text messages and said the practice of physicians and other medical professionals using text messages to communicate PHI was simply “not acceptable”.

The Health Insurance Portability and Accountability Act (HIPAA) places restrictions on the storage and transmission of patient medical records and other Protected Health Information (PHI). Doctors risk violating the HIPAA Privacy and Security Rules by sending sensitive medical information via SMS. Not only does the person concerned risk exposing patient medical records, the organization for which they work can receive a heavy fine for non-compliance.

The ban was the result of an assessment of the risks involved in sending protected information via text messages, which were deemed to be too high with this action taken to manage that risk. At present text messages are viewed as problematic to secure. The ban on text messages by medical professionals does not extend to other forms of mobile communication.

Mobile phone Apps for example can be used if they are developed to include required level of security. Provided a mobile communication channel can be made secure and the appropriate security controls are applied to protect PHI, mobile communications could greatly improve efficiency in the healthcare industry.

Alternatively data encryption can be used on all protected data both in storage and in transit. Data encryption is not the same as password protection which only secures the mobile phone messages on the sender’s and receiver’s devices. Once a message is sent it can be relayed through numerous servers and can be stored on any number of different network provider’s servers. For there it could be potentially accessed and messages could easily be intercepted during transmission.

If data is encrypted it does not matter where it is located, copied, stored or downloaded, the data is unreadable without a key to remove the encryption. If data encryption is used and a mobile communication technology can accommodate it, PHI can be transmitted via that medium.

However, unless a healthcare organization has a policy of encrypting data, text messages are unsuitable for communicating any personally identifiable information or medical information, while any form of mobile communication should be subjected to a thorough risk assessment to identify any security vulnerabilities. If it is not possible to effectively manage risk, electronic communications cannot be used to communicate PHI.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On