“Your way, right away” carries the day here, apologies to Burger King. If a provider cannot send the text message securely, the provider must notify the patient of the risk of unsecured text transmission. If the patient, having been warned, consents to text receipt, the provider can send the message. The Burger King standard does not apply, though, in cases where a text request is made under some other provision of HIPAA.
Say, for example, another provider wants records containing ePHI texted to that provider. The Privacy Rule allows the disclosure without patient authorization if the disclosure is for treatment purposes. That’s the Privacy Rule. The Privacy Rule right of access provision is said to put patients “in the driver’s seat” when it comes to how patients choose to access their health information. While patients requesting their own records to be texted can choose to accept unsecure transmissions, providers, lawyers, schools, and other entities cannot make this choice. These other entities’ temptation to send unsecure texts to third parties must take a backseat to the HIPAA security rule, which requires that text messages be transmitted with appropriate administrative, physical, and technical safeguards. The topic of HIPAA compliant secure text messaging is discussed in greater detail below.
What is HIPAA Compliant Secure Text Messaging? A Fork in the Road
The issue of whether a provider is required to use HIPAA compliant secure texting (and therefore required to use a HIPAA compliant secure texting service) depends upon who asks for the text to be transmitted, and who that person wants to receive the text.
HIPAA Compliant Secure Text Rules for Path 1: Patient Requests Records for Patient Use
Under the Privacy Rule’s use and disclosure provisions, providers are permitted to disclose patient records to patients. The right of access provision requires a provider to allow patients to inspect and obtain copies of their PHI maintained in a designated record set, for as long as the provider maintains that protected health information in the designated record set.
Designated record sets include medical records, billing records, payment and claims records, health plan enrollment records, case management records, as well as other records used, in whole or in part, by or for a provider or health plan to make decisions about individuals.
Under the right of access provision, a covered entity must provide the individual with access to the PHI in the form and format requested by the individual, as long as the PHI is readily producible in that form and format. Under HHS guidance, if a patient requests that a copy of their PHI be transmitted electronically, the provider must honor the request so long as the provider is capable of doing so, and the risk to the security of PHI on its systems in responding to such requests is not intolerable (by the way, since HHS expects that all entities have the capability to transmit PHI by mail or email, HHS will only buy the “intolerable” argument if a risk analysis determines that there is an unacceptable security risk to a provider’s information systems themselves – the fact that there may be risk that unencrypted ePHI may be intercepted while in transit is not an “intolerable risk”).
The provider, before transmitting PHI by unsecured text (transmitting PHI without adhering to one or more of the Security Rule administrative, physical, or technical safeguard provisions), must inform the patient that there is a risk that an encrypted text may be intercepted, and must obtain consent from the patient in which the patient acknowledges that risk but nonetheless consents to the transmission. The consent should be made in writing, and documented.
Of course, not every transmission by text is unsecure. HIPAA compliant secure texting services exist. Suppose a provider uses one of these services, and sends a text using this service to a patient who receives and opens the text using the service. In that case, the text is not “unsecure,” and therefore, the patient need not be warned that there are risks associated with unsecure transmissions (the patient must still consent to receiving the message by text, though).
Is HIPAA compliant secure text messaging a myth? If not, what are these HIPAA compliant secure text services? The answers are “no,” and “Luxsci” (to name just one), respectively.
HIPAA compliant secure text messaging has two features: (1) the HIPAA compliant secure texting service is provided by a provider’s HIPAA compliant business associate, who has signed a business associate agreement with the provider; and (2) the data, while it is both in motion and at rest, is secured in accordance with the Security Rule (meaning, access controls, audit controls, integrity controls, authentication controls, and transmission controls – the technical safeguards of the Security Rule – have been properly implemented, along with physical and administrative safeguards).
HIPAA Compliant Secure Text Messaging Rules for Path 2: Patient Directs Provider to Send Records to Third Party
What if an individual wants their provider to send their PHI to a third party via text? Is HIPAA compliant secure texting required?
Under the Privacy Rule, the right of an individual to have PHI sent by their provider directly to a third party, is an extension of the right of access. This means when a patient directs a provider to send PHI to a third party all of the Privacy Rule provisions that apply when the individual obtains their own access, apply to when the provider is directed to send the information.
This also means that the provider must provide the third party with access to the PHI in the form and format requested by the individual, as long as the PHI is readily producible in that form and format. Suppose a patient requests that a copy of their PHI be transmitted to the third party electronically. In that case, the provider must honor the request so long as the provider is capable of doing so, and the risk to the security of PHI on its systems in responding to such requests is not intolerable.
If a patient directs the provider to send PHI to the third party via unencrypted email or text, must the provider comply? Yes. The patient remains “in the driver seat” in this situation. The individual may direct the provider to send an unencrypted text as long as the provider warns the patient of the security risks to the PHI associated with the unsecure transmission, and obtains the patient’s consent to proceed. If a breach occurs during transit, the provider is not liable for the unauthorized disclosure. And, the provider is not liable for what happens to the PHI once the third party receives the PHI as directed by the patient.
What about breach notification? Say an individual requests that the provider transmit the PHI to the third party in an insecure manner (e.g., unencrypted), and, after being warned of the security risks to the PHI associated with the unsecure transmission, maintains her preference to have the PHI sent in that manner. A breach occurs during transmission. Is the provider required to furnish breach notification to individuals and HHS? No. The provider is not required to provide breach notification if PHI is impermissibly disclosed during transmission. The provider has “immunity” (so to speak) from compliance with the breach notification rule in this situation.
HIPAA Compliant Secure Text Rules for Path 3: Provider Wants to Send Text to Third Party
What if a provider (call it Provider 1) wants to disclose a patient’s PHI to another provider (call it Provider 2) for its own (Provider 1’s) treatment or payment purposes, or for the treatment or payment purpose of Provider 2?
The Privacy Rule allows such disclosures between providers without a provider having to obtain written patient authorization to the disclosure. Provider 1 may obtain the patient’s consent to the disclosure, but is not required to.
If provider 1 wants to text PHI to provider 2, does provider 1 need to use a HIPAA compliant secure text messaging service? Yes. This scenario does not implicate the right of access, Burger King, or the patient being in the driver’s seat. This means the provider must comply with the Security Rule administrative, physical, and technical safeguard in transmitting a text.
Suppose a provider fails to use HIPAA compliant secure text messaging when it makes a disclosure to another provider, and PHI is intercepted because it was unsecure. In that case, the breach is on the sending provider, who must notify the patient and HHS of the breach in accordance with the breach notification rule.