Is Texting in Violation of HIPAA?
Is Texting in Violation of HIPAA?
Texting in violation of HIPAA can be prevented by either implementing a secure messaging solution that complies with the Technical Safeguards of the HIPAA Security Rule or by obtaining a patient’s consent to communicate via an unsecure channel of communication.
Depending on the content of the text message, who the text message is being sent to, or the mechanisms put in place to ensure the confidentiality and integrity of Protected Health Information (PHI), texting can be in HIPAA-compliant in certain circumstances.
Any misunderstanding surrounding texting being in violation of HIPAA comes from the complex language used in the Privacy and Security Rules. These rules do not mention texting per se, but they do lay down certain conditions that apply to electronic communications in the healthcare industry.
So, for example, it is okay to send messages by text provided that the content of the message does not include “personal identifiers”. It is okay for a doctor to send text messages to a patient, provided that the message complies with the “minimum necessary standard”, the patient has given their consent to be contacted by SMS text and warned of the risks of communicating personal information over an unencrypted channel. It is also okay to send messages by text when mechanisms are in place to comply with the technical safeguards of the Security Rule.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The Technical Safeguards of the HIPAA Security Rule
The technical safeguards of the HIPAA Security Rule are the most relevant towards answering the question “When is texting in violation of HIPAA?” This section of the HIPAA Security Rule concerns access controls, audit controls, integrity controls, methods for ID authentication, and transmission security mechanisms when PHI is being transmitted electronically. Among the requirements are:
- Access to PHI must be limited to authorized users who require the information to do their jobs.
- A system must be implemented to monitor the activity of authorized users when accessing PHI.
- Those with authorization to access PHI must authenticate their identities with a unique, centrally-issued username and PIN.
- Policies and procedures must be introduced to prevent PHI from being inappropriately altered or destroyed.
- Data transmitted beyond an organization´s internal firewall should be encrypted to make it unusable if it is intercepted in transit.
Standard “Short Message Service” (SMS) and “Instant Messaging” (IM) text messages often fail on all these counts. Senders of SMS and IM text messages have no control over the final destination of their messages. They could be sent to the wrong number, forwarded by the intended recipient to somebody else, or intercepted while in transit. Copies of SMS and IM messages also remain on service providers´ servers indefinitely with no means of remotely retracting or deleting them.
There is no message accountability with SMS or IM text messages because anybody could pick up someone´s mobile device and use it to send a message – or indeed edit a received message before forwarding it on. For these reasons (and many more) communicating PHI by standard, non-encrypted, non-monitored and non-controlled SMS or IM is texting in violation of HIPAA.
How This Creates a Problem for Healthcare Organizations
Texting in violation of HIPAA is a major problem for healthcare organizations. Over the past few years, more and more medical professionals have come to rely on their personal mobile devices to support their workflows. Indeed, many healthcare organizations have been keen to implement “bring your own device” (BYOD) policies because of the speed and convenience of modern technology and due to the cost-saving benefits.
However, with an estimated 80% of medical professionals now using personal mobile devices, there is a considerable risk of PHI being accessed by unauthorized personnel. Most messaging apps on mobile devices have no log-in or log-off requirements – so they do not comply with the technical safeguards for HIPAA texting – and, if a mobile device is lost or stolen, there is a significant risk that messages containing PHI could be released into the public domain.
The fines for a breach of HIPAA can be considerable. The fine for a single breach of HIPAA can be up to $68,928 per day that the violation responsible for the breach is not attended to. Healthcare organizations that turn a blind eye to texting in violation of HIPAA can also face State Attorney General civil charges on behalf of patients whose data has been exposed if the breach results in identity theft or other fraud.
| Penalty Tier | Level of Culpability | Min. Penalty per Violation | Max. Penalty per Violation | Annual Penalty Limit |
| Tier 1 | Lack of Knowledge | $137 | $34,464 | $34,464 |
| Tier 2 | Reasonable Cause | $1,379 | $68,928 | $137,886 |
| Tier 3 | Willful Neglect | $13,785 | $68,928 | $344,638 |
| Tier 4 | Willful Neglect not Corrected within 30 days | $68,928 | $68,928 | $2,067,813 |
Resolve Texting Issues with a Secure Messaging Solution
Secure messaging solutions resolve texting issues by encapsulating PHI within a private communications network that can only be accessed by authorized users. Access is gained via secure messaging apps that function in the same way as commercially available messaging apps, but with security mechanisms in place to prevent an accidental or malicious disclosure of PHI.
Once logged into the app, authorized users enjoy the same speed and convenience as SMS or IM text messaging, but are unable to copy and paste encrypted data or save it to an external hard drive. Should there be a period of inactivity on the app, the user is automatically logged off, and all activity on the communications network is monitored to ensure 100% message accountability.
The platforms driving compliant HIPAA texting can be used to apply user permissions by role and granular texting policies; and, when integrated with EMRs, can enable medical professionals to access or update patient information remotely and securely. Secure messaging platforms also have powerful analytics programs that help healthcare organizations identify how users, teams and departments are communicating with each other so IT managers can make data-driven decisions about updating HIPAA texting policies to improve the flow of communication.
Is Texting in Violation of HIPAA? FAQs
If a healthcare provider deletes a text message as soon as it has been sent, is this still a violation of HIPAA?
This depends on the content of the text message. If the message contains no personal identifiers (i.e., is only reminding the recipient of an appointment without mentioning their name or the nature of the appointment) and the recipient has consented to receiving appointment reminders by text, there is no risk of individually identifiable health information being exposed.
If, however, the message contains individually identifiable health information, deleting the text message as soon as it has been sent does not prevent a violation of HIPAA. This is not only because copies of the message can remain on service providers´ servers indefinitely, but also because all systems used to communicate ePHI have to have audit capabilities.
If messaging apps such as WhatsApp have end-to-end encryption, can you text ePHI in compliance with HIPAA using them?
No, because end-to-end encryption is not the only requirement of the HIPAA Security Rule for texting in compliance with HIPAA. For example, any messaging app used to text ePHI must have access controls, audit controls, and a method of removing messages from a user´s device and archiving them securely. This last requirement is important if healthcare professionals use personal devices to text ePHI as messages will have to be removed from the device if the user changes jobs.
With a secure messaging solution, can you share ePHI with colleagues?
You can share ePHI with colleagues that are using the same messaging solution, but only within the solution´s app. For example, secure messaging allows for in-app collaboration, but not sharing ePHI via unsecure channels of communication (i.e., SMS, email, etc.) or via social media sites. Because of this capability, secure messaging solutions can enhance productivity as well as providing covered entities and business associates with a HIPAA-compliant communications channel.
If I use a secure messaging solution to text ePHI, do I have to change the PIN to unlock my phone?
From a user’s perspective, when you use a secure messaging solution, it is like using any messaging app on your smartphone, but it has its own login requirements. In some cases, this may be a PIN rather than a username and password, but – if so – it will be a different PIN than what you use to unlock your phone and will be issued to you by your IT department. There will be no need to change the PIN on your phone.
Do any of the other Security Rule safeguards apply to texting and HIPAA?
Yes. Areas of compliance such as information access management, staff training, and security incident procedures appear in the Administrative Safeguards, while device management standards appear in the Physical Safeguards. Any covered entity or business associate who implements a HIPAA-compliant text messaging solution must also ensure users adhere to the General Principles for Uses and Disclosures stipulated by the Privacy Rule.
