HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Messaging Standards in Healthcare

In the United States there are strict messaging standards in healthcare to ensure the confidentiality, integrity, and availability of personally identifiable healthcare data and to protect patient privacy. Those messaging standards apply to healthcare providers, health plans, and business associates of those entities and are far more stringent than in many other western countries.

Messaging standards in healthcare in the United States come from the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. The Privacy Rule places restrictions on the uses and disclosures of “protected health information” or PHI and the Security Rule requires safeguards to be implemented to protect PHI from being accessed or altered by unauthorized individuals and ensures health information is always available when it is needed.

Messaging Standards in Healthcare for Text Messaging Platforms

The messaging standards in healthcare exist to protect electronic health data at rest and in transit and require the following:

  • Encryption of data at rest
  • End to end encryption of data in transit
  • Access controls to limit access to health data with unique login names and PINs/passwords
  • Maintenance of access logs and regular reviews to identify unauthorized activity
  • Maintenance of an audit trail
  • Mechanisms to prevent the accidental destruction of ePHI
  • Sanitization of messages when devices are retired
  • Automatic locking of devices/logging off after a period of inactivity
  • A business associate agreement with the messaging service provider that provides satisfactory assurances that messaging standards are being adhered to

Many healthcare organizations still reliant on pagers, faxes and landlines, which are not conducive to efficient workflows. The familiarity of text messaging, the speed of communication, and features such as group chat make consumer-grade text platforms an attractive option for improving communication internally between members of the care team. However, while the majority of these platforms have features that allow healthcare professionals to achieve their communication goals, they do not meet messaging standards for healthcare use.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

SMS Messages Do Not Meet HIPAA Standards for Safeguarding ePHI

The SMS network offers a fast, easy, efficient and cost-effective way of communicating, but SMS messages are not sufficiently secure for sending personally identifiable health information. Messages can easily be accessed by unauthorized users, the lack of encryption means messages can be intercepted in transit, there are no controls over who can be sent healthcare data, and messages can remain on devices and network providers’ servers indefinitely. As such, messaging standards in healthcare prohibit the use of the SMS network for sending PII unless prior authorization has been obtained from patients in writing. Even then, patients must be informed about the unsecure nature of SMS messages.

Text Messaging Platforms for Healthcare Organizations

While text-based communication platforms are used in many industries for collaboration and improving productivity, messaging standards in healthcare are much more stringent. At face value, some messaging apps may appear to provide sufficient protection for health data as they incorporate encryption of messages at rest and in transit, but many fall short of the requirements of HIPAA in key areas making them unsuitable for use in healthcare. These failures could easily warrant a financial penalty for noncompliance by regulators if they are used in connection with electronic protected health information (ePHI).

In order to for text messaging platform to be used in connection with any ePHI, all the requirements of HIPAA must be satisfied, but even then, healthcare organizations must proceed with caution. Some “HIPAA-compliant” messaging platforms put the appropriate controls in place to achieve HIPAA compliance, but the platforms can easily be used in a non-compliant manner by healthcare employees.

Important Features of Healthcare Messaging Solutions

If you are looking for a messaging solution that meets the messaging standards in healthcare to improve communication efficiency and effectiveness, you need to look beyond HIPAA compliance. You should ensure that the messaging solution is right for your organization and will allow you to achieve all of your goals and optimize clinical and patient workflows to maximize ROI.

Not all healthcare messaging solutions are created equal. While all HIPAA-compliant healthcare messaging solutions will meet the minimum privacy and security standards demanded by HIPAA, you need to ensure they also minimize the potential for user error and fully integrate with your existing workflows, EHR, and other key systems to get the maximum possible benefit. Listed below are some of the key features you should look for in a text-messaging app for healthcare use.

Enforcement of Rules to Ensure HIPAA Compliance

Text messaging platform providers may claim that their communications solutions are HIPAA compliant, but the platforms could still be used in a non-compliant manner. HIPAA requires standards to be met but there are no standards for enforcement of compliance. Platforms should restrict communication to users within the network, ensure that any data transmitted through the application cannot be downloaded onto the user’s device and copying and pasting should not be possible. All data should remain within the protection of the application. Healthcare messaging apps should also support automatic deletion of messages after a fixed time period and remote deletion of messages in the event of loss or theft of a device.

Support for Secure Video and Audio Calls

Text messaging may be the preferred method of communication in many situations, but not all. It should not be necessary to switch from a mobile device to a landline for more in-depth consultations. Look for a unified communication and collaboration platform that supports text, video, and voice calls and support group video and group calling.

Message Alerts for Critical Emergency Situations

The platform should support priority messaging as not all messages are created equal. Multiple messages may be sent to a physician at the same time so it should be possible for the status of a message to be elevated in critical situations when an urgent response is required to encourage a quicker response time.

Support Complex Healthcare Workflows

Many text-messaging apps meet HIPAA standards and are perfectly adequate for certain situations such as one-on-one consults but fall short when it comes to supporting complex healthcare workflows. Messaging platforms should allow healthcare organizations to define communication workflow and should support the complex chain of communication in healthcare.

Full Integration with Critical Hospital Systems

To get the most benefit from a text messaging solution in healthcare it must be capable of integrating seamlessly with other systems, such as the EHR. It should not be necessary to continually check electronic health records to obtain test results for example. Integration with the EHR will allow alerts to be generated the second test results are in. Integration with scheduling systems will ensure messages are sent to the right people at the right time and avoid disturbing workers who are off shift.