“Your way, right away” carries the day here, apologies to Burger King. If a provider cannot send the text message securely, the provider must notify the patient of the risk of unsecured text transmission. If the patient, having been warned, consents to text receipt, the provider can send the message. The Burger King standard does not apply, though, in cases where a text request is made under some other provision of HIPAA.
Say, for example, another provider wants records containing ePHI texted to that provider. The Privacy Rule allows the disclosure without patient authorization if the disclosure is for treatment purposes. That’s the Privacy Rule. The Privacy Rule right of access provision is said to put patients “in the driver’s seat” when it comes to how patients choose to access their health information. While patients requesting their own records to be texted can choose to accept unsecure transmissions, providers, lawyers, schools, and other entities cannot make this choice. These other entities’ temptation to send unsecure texts to third parties must take a backseat to the HIPAA security rule, which requires that text messages be transmitted with appropriate administrative, physical, and technical safeguards. The topic of HIPAA compliant secure text messaging is discussed in greater detail below.
What is HIPAA Compliant Secure Text Messaging? A Fork in the Road
The issue of whether a provider is required to use HIPAA compliant secure texting (and therefore required to use a HIPAA compliant secure texting service) depends upon who asks for the text to be transmitted, and who that person wants to receive the text.
HIPAA Compliant Secure Text Rules for Path 1: Patient Requests Records for Patient Use
Under the Privacy Rule’s use and disclosure provisions, providers are permitted to disclose patient records to patients. The right of access provision requires a provider to allow patients to inspect and obtain copies of their PHI maintained in a designated record set, for as long as the provider maintains that protected health information in the designated record set.
Designated record sets include medical records, billing records, payment and claims records, health plan enrollment records, case management records, as well as other records used, in whole or in part, by or for a provider or health plan to make decisions about individuals.
Under the right of access provision, a covered entity must provide the individual with access to the PHI in the form and format requested by the individual, as long as the PHI is readily producible in that form and format. Under HHS guidance, if a patient requests that a copy of their PHI be transmitted electronically, the provider must honor the request so long as the provider is capable of doing so, and the risk to the security of PHI on its systems in responding to such requests is not intolerable (by the way, since HHS expects that all entities have the capability to transmit PHI by mail or email, HHS will only buy the “intolerable” argument if a risk analysis determines that there is an unacceptable security risk to a provider’s information systems themselves – the fact that there may be risk that unencrypted ePHI may be intercepted while in transit is not an “intolerable risk”).
The provider, before transmitting PHI by unsecured text (transmitting PHI without adhering to one or more of the Security Rule administrative, physical, or technical safeguard provisions), must inform the patient that there is a risk that an encrypted text may be intercepted, and must obtain consent from the patient in which the patient acknowledges that risk but nonetheless consents to the transmission. The consent should be made in writing, and documented.