Is Text Messaging HIPAA Compliant?
Text messaging is not HIPAA compliant, and unencrypted SMS messages should not be used for communicating ePHI unless a patient has initiated contact by SMS or requested provider-patient communications by text message – in which case healthcare providers can use text messaging provided reasonable safeguards are applied. Given its ease of use, many healthcare organizations and professionals may wonder is text messaging HIPAA compliant. The answer is generally “no,” but there are exceptions.
Although there are circumstances in which SMS text messaging can be HIPAA compliant, they are few and far between – making it safer for covered entities to prohibit texting electronic Protected Health Information (ePHI) rather than risk a penalty for violating HIPAA. While HIPAA does not prohibit sending PHI by text, for texting to be HIPAA compliant, safeguards must be in place to verify the identity of the recipient, warn the recipient of the risks of sending ePHI by text, and document the recipient acknowledges the risks but wants to continue regardless
Why It’s Safer to Prohibit Texting ePHI
There are many reasons why it’s safer for covered entities to prohibit texting PHI rather than allow it. These include – but are not limited to – the lack of access controls, the lack of audit controls, and the lack of encryption. Although encryption is an “addressable” requirement of the HIPAA Security Rule, it’s the only feasible way to ensure the security of ePHI in transit.
Looking at these reasons for noncompliance in more depth, with regards to access controls, anybody can pick up an unattended mobile device and read the messages on it. Mobile devices can be lost or stolen – which not only potentially exposes ePHI to unauthorized access, but the information in the messages can be used to commit insurance fraud or identity theft.
HIPAA Compliant
Patient Communication
Software
Keep Patients Informed,
Reduce No Shows & Increase
Staff Productivity
Rectangle Health’s Patient Engagement Software Is Used By 1,000s Of Healthcare Providers & Easily Integrates With All Existing Practise Management Systems
Your Privacy Respected
HIPAA Journal Privacy Policy
This is why the HIPAA rules for text messaging – or any other form of electronic communication – stipulate that audit controls are necessary to record when ePHI is created, modified, accessed, shared, or deleted. It´s simply not possible to implement audit trails for HIPAA compliant text messaging because the technology doesn´t exist that can audit every possible operating system.
Even if there were a way to overcome the HIPAA texting rules for access controls and audit controls, that would not make text messaging HIPAA compliant. There also has to be a way to prevent the interception of plain text messages – or extraction of plain text messages from carriers´ servers – which is why the encryption of ePHI in transit is strongly recommended.
When Is Text Messaging HIPAA Compliant?
There are circumstances in which SMS text messaging can be HIPAA compliant. The most common circumstance concerns texting with patients. Texting ePHI to patients is allowed by HIPAA when a patient has initiated contact by SMS or requested provider-patient communications by text message. In this circumstance, the covered entity must warn the patient that the risk of unauthorized disclosure exists and obtain the patient´s consent to communicate by text. Both the warning and the consent must be documented.
Other circumstances in which text messaging is HIPAA compliant include employers who provide onsite clinics as an employee health benefit, who provide self-insured health plans for employees, or who act as an intermediary between employees, healthcare providers, and health plans. This is a particularly complex area of HIPAA compliant texting, so we have compiled a separate page to explain the HIPAA texting rules in these circumstances.
It can also be the case that the U.S. Department of Health and Human Services waives the HIPAA rules for text messaging after a natural disaster such as an earthquake or hurricane. In these circumstances, some, but not all, rules related to texting patient data may be waived, and “enforcement discretion” may be applied for a fixed time period only or apply to covered entities of a certain nature (i.e. healthcare providers) within a geographical location. Waivers are never comprehensive.
One final circumstance in which text messaging is HIPAA compliant is when the covered entity has implemented a solution such as a HIPAA compliant messaging app that has the necessary controls and encryption to support HIPAA compliant texting. Even when these apps are used, it is still necessary to comply with the Minimum Necessary Standard and the physical, technical, and administrative safeguards of the HIPAA Security Rule.
HIPAA Compliant Text Messaging Apps
HIPAA compliant text messaging apps have become to go-to solution for resolving the question of “is text messaging HIPAA compliant?” The messaging apps work in much the same way as commercial apps such as WhatsApp, Facebook Messenger, and Skype – so users are familiar with how they work – but they operate within a secure, encrypted network with access controls and audit controls to satisfy the requirements of the HIPAA Security Rule.
The latest generation of HIPAA compliant text messaging apps do more than support HIPAA compliant texting. They enable HIPAA compliant voice and video calls, allow groups to collaborate remotely in a secure environment, and facilitate the sharing of files and images with other authorized users. When integrated with EMR systems, patient information can be sent directly from the text messaging app to the EMR system – saving users valuable time.
With regards to the security and integrity of ePHI, all communications are archived on a private cloud and logically separated from other data. Via user-friendly admin control panels, covered entities can apply granular role-based permissions and apply messaging policies. The platforms can also be used to remotely retract and delete messages if a mobile device is lost or stolen, PIN-lock apps installed on mobile devices, and extract audit reports.
Indeed, the advanced reporting capabilities of latest-generation secure messaging systems can provide valuable insights for covered entities. The systems often include powerful analytics packages that give covered entities insights into how different teams are communicating with each other and with different departments. These insights allow covered entities to make data-driven decisions to further optimize HIPAA compliant communication policies and workflows.
FAQs
Is text messaging HIPAA compliant?
Text messaging is not HIPAA compliant when ePHI is communicated via SMS messaging for a reason not explained above. This is because SMS messaging lacks the necessary Security Rule safeguards plus copies of SMS messages can remain on carriers’ servers indefinitely. Effectively covered entities have no control over how ePHI is further used or disclosed once a text message containing ePHI is sent.
Why is it safer for covered entities to prohibit texting ePHI?
It is safer for covered entities to prohibit texting ePHI due to the lack of access controls, audit controls and encryption. If patients request to be contacted by text, covered entities should implement a secure messaging solution or adapt an existing communication channel so that ePHI can be communicated with patients without security risks.
Why are audit controls necessary for electronic communications of ePHI?
Audit controls are necessary for electronic communications of ePHI because it is necessary to ensure that only authorized members of the workforce access ePHI, that they only transmit the minimum necessary ePHI (where applicable), and that – if modifications are made to ePHI or ePHI is deleted – covered entities can establish who modified or deleted the information.
How can text messaging become HIPAA compliant?
Text messaging can become HIPAA compliant if the text messaging capabilities of a communications platform are configured to comply with the administrative, physical, and technology safeguards of the Security Rule. Covered entities adopting or integrating a secure text messaging capability into an existing communications platform will need to enter into a Business Associate Agreement with the software vendor (if a different vendor from an existing Agreement) and train authorized users on how to use the capability in compliance with HIPAA.
What are HIPAA compliant text messaging apps?
HIPAA compliant text messaging apps are apps similar to common messaging apps like WhatsApp or Skype that have the required controls to comply with the HIPAA Security Rule. This not only means end-to-end encryption (which both WhatsApp and Skype have), but also event logs and audit controls to determine when ePHI is accessed, who accesses it, and what they do with it.
When might the U.S. Department of Health and Human Services waive the HIPAA rules for text messaging?
The U.S. Department of Health and Human Services can waive the HIPAA rules for text messaging following a natural disaster such as a hurricane or wildfires, or during a public health emergency – such as during the recent COVID-19 pandemic. When these events occur, some – but not all – rules relating to the communication of patient data can be waived. It is important for covered entities to be aware of which rules have been waived and the circumstances for which texting ePHI is allowed.
