HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Texting Patient Information

Texting Patient Information

When Is It Possible to Send Patient Information by Text?

Texting patient information has generally been considered to be in violation of the Health Insurance Portability and Accountability Act (HIPAA), but this is not always the case. Text communications between a medical professional and a patient are permissible, provided the medical professional applies the “minimum necessary standard” to reduce the risk of the unauthorized exposure of Protected Health Information (PHI), the patient is warned of the risk that their personal information may be exposed, and a signed consent form is received from the patient.

Electronic communications between other healthcare professionals and Business Associates are also allowed, provided that all parties involved adhere to the technical requirements of the HIPAA Security Rule. Unfortunately most “traditional” channels of text communication do not adhere to the technical requirements of the HIPAA Security Rule – exposing healthcare authorities to the risk of civil action and substantial fines if a breach of PHI occurs.

What Are the Technical Safeguards of the HIPAA Security Rule?

The technical requirements of the HIPAA Security Rule are a series of standards intended to prevent unauthorized access to PHI and protect the integrity of Protected Healthcare Information while it’s in transit. The requirements concern who has access to PHI, how it’s used, how it’s protected against inappropriate alteration, the methods for ID authentication, and transmission security. There are also requirements relating to audit controls to show that the technical safeguards are being implemented and enforced.

The requirements apply to texting patient information by SMS, communicating by IM, or sending an email beyond a healthcare organization´s internal servers. They require that access to PHI is limited to those who need access to do their jobs (authorized users), that a system of monitoring access to PHI is implemented, that authorized users log into and out of a communications solution, and that all PHI send beyond an organization´s network is encrypted. There also has to be automatic log-off from devices used to text patient information to prevent unauthorized access when a device is unattended.

Please see the HIPAA Journal Privacy Policy

The Issue of Texting Patient Information for Healthcare Authorities

Texting patient information in compliance with HIPAA is a major issue for healthcare authorities – particularly those that have encouraged “bring your own device” policies. It has been estimated that as many as 80% of medical professionals use personal mobile devices to help streamline their workflows, and most would be reluctant to give up the speed and convenience of their smartphones, tablets or laptops.

Nonetheless, the risk of a breach of PHI is substantial. It only takes one lost or stolen Smartphone – or one unattended smartphone – containing unencrypted PHI for a healthcare authority to be liable for the unauthorized disclosure of PHI. With fines of up to $50,000 per day per offense, it makes financial sense for a healthcare organization to find a solution to the issue of texting patient information.

Resolving Patient Texting Issues with Secure Messaging

Secure messaging works in a similar way to SMS and IM inasmuch as authorized users can text each other, share images and join group messaging threads to collaborate on patient healthcare. The latest generation of secure messaging solutions also support group voice calls. However, the secure messaging apps that are used to connect to a healthcare organization´s network have mechanisms in place to comply with the technical requirements of the HIPAA Security Rule.

This means that all activity on the network is monitored, safeguards are in place to prevent PHI being transmitted outside an organization´s network and users are logged out of the network after a period of inactivity. If an authorized user loses their smartphone, mechanisms are in place to remotely delete any communications on the app and PIN-lock it to prevent unauthorized access to PHI.

Via a web-based admin portal, healthcare organizations are able to apply granular, role-based access controls and enforce HIPAA texting policies. These mechanisms make it less likely that when doctors and nurses are texting patient information, they will unintentionally disclose PHI by accident. It also makes it much harder for a malicious insider to share, modify, or delete PHI without authorization.