Is Texting in Violation of HIPAA?

Is Texting in Violation of HIPAA?

Is Texting in Violation of HIPAA?

To say that texting is in violation of HIPAA is not strictly true. Depending on the content of the text message, who the text message is being sent to, or mechanisms put in place to ensure the integrity of Protected Health Information (PHI), texting can be in compliance with HIPAA in certain circumstances.

Any misunderstanding surrounding texting being in violation of HIPAA comes from the complex language used in the Privacy and Security Rules. These rules do not mention texting per se, but they do lay down certain conditions that apply to electronic communications in the healthcare industry.

So, for example, it is okay to send messages by text provided that the content of the message does not include “personal identifiers”. It is okay for a doctor to send text messages to a patient, provided that the message complies with the “minimum necessary standard” and the patient has been warned of the risks of communicating personal information over an unencrypted channel. It is also okay to send messages by text when the mechanisms are in place to comply with the technical safeguards of the HIPAA Security Rule.

The Technical Safeguards of the HIPAA Security Rule

The technical safeguards of the HIPAA Security Rule are the most relevant towards answering the question “When is texting in violation of HIPAA?” This section of the HIPAA Security Rule concerns access controls, audit controls, integrity controls, methods for ID authentication, and transmission security mechanisms when PHI is being transmitted electronically. Among the requirements are:

  • Access to PHI must be limited to authorized users who require the information to do their jobs.
  • A system must be implemented to monitor the activity of authorized users when accessing PHI.
  • Those with authorization to access PHI must authenticate their identities with a unique, centrally-issued username and PIN.
  • Policies and procedures must be introduced to prevent PHI from being inappropriately altered or destroyed.
  • Data transmitted beyond an organization´s internal firewall should be encrypted to make it unusable if it is intercepted in transit.

Standard “Short Message Service” (SMS) and “Instant Messaging” (IM) text messages often fail on all these counts. Senders of SMS and IM text messages have no control over the final destination of their messages. They could be sent to the wrong number, forwarded by the intended recipient to somebody else or intercepted while in transit. Copies of SMS and IM messages also remain on service providers´ servers indefinitely with no means of remotely retracting or deleting them.

There is no message accountability with SMS or IM text messages because anybody could pick up someone´s mobile device and use it to send a message – or indeed edit a received message before forwarding it on. For these reasons (and many more) communicating PHI by standard, non-encrypted, non-monitored and non-controlled SMS or IM is texting in violation of HIPAA.

How This Creates a Problem for Healthcare Organizations

Texting in violation of HIPAA is a major problem for healthcare organizations. Over the past few years, more and more medical professionals have come to rely on their personal mobile devices to support their workflows. Indeed, many healthcare organizations have been keen to implement “bring your own device (BYOD) policies because of the speed and convenience of modern technology and due to the cost-saving benefits.

However, with an estimated 80% of medical professionals now using personal mobile devices, there is a considerable risk of PHI being accessed by unauthorized personnel. Most messaging apps on mobile devices have no log-in or log-off requirements – so they do not comply with the technical safeguards for HIPAA texting – and, if a mobile device is lost or stolen, there is a significant risk that messages containing PHI could be released into the public domain.

The fines for a breach of HIPAA can be considerable. The fine for a single breach of HIPAA can be up to $50,000 per day that the vulnerability responsible for the breach is not attended to. Healthcare organizations that turn a blind eye to texting in violation of HIPAA can also face civil charges from the patients whose data has been exposed if the breach results in identity theft or other fraud.

Penalties for Texting in Violation of HIPAA
Penalties are per violation per year Min Max
Did Not Know $100 $50,000
Reasonable Cause $1,000 $50,000
Willful Neglect – Corrected $10,000 $50,000
Willful Neglect – Not Corrected $50,000 $1,500,000

Resolve Texting Issues with a Secure Messaging Solution

Secure messaging solutions resolve texting issues by encapsulating PHI within a private communications network that can only be accessed by authorized users. Access is gained via secure messaging apps that function in the same way as commercially available messaging apps, but with security mechanisms in place to prevent an accidental or malicious disclosure of PHI.

Once logged into the app, authorized users enjoy the same speed and convenience as SMS or IM text messaging, but are unable to copy and paste encrypted data or save it to an external hard drive. Should there be a period of inactivity on the app, the user is automatically logged off, and all activity on the communications network is monitored to ensure 100% message accountability.

The platforms driving compliant HIPAA texting can be used to apply user permissions by role and granular texting policies; and, when integrated with EMRs, can enable medical professionals to update patient information remotely and securely. Secure messaging platforms also have powerful analytics programs that help healthcare organizations identify how users, teams and departments are communicating with each other so IT managers can make data-driven decisions about updating HIPAA texting policies to improve the flow of communication.