HIPAA Compliant Texting:
Is Text Messaging HIPAA Compliant?
Texting is a quick and easy way to communicate, however, in the healthcare industry, text communication must be limited. There are certain circumstances in which HIPAA compliant texting is possible. Although it is not recommended to communicate with patients via traditional texting platforms, it is HIPAA compliant if, and only if, a patient has given written consent to receive text communications. HIPAA consent to text indicates specific circumstances in which the patient gives the covered entity (CE) permission to communicate with them via text message.
For instance, a patient may give their CE permission to send appointment reminders by text, but not permission to share medical information with them in this format. Sending medical information through text message is ill advised, however, a patient may specifically ask their provider to do so. In this case HIPAA SMS guidelines dictate that the provider must make it clear to the patient that this form of communication is not secure. If the patient still wishes to receive their medical information by text, they must give explicit written consent before this is permissible.
Why Texting Should Not be Used for Patient Communication
The HIPAA Security Rule mandates that there must be access controls, audit controls, and encryption securing protected health information (PHI). Generally, these are not available with traditional texting platforms such as iMessage or WhatsApp.
- Access controls ensure that PHI is accessed in accordance with the “minimum necessary standard.” This standard requires that employees access only the minimum PHI necessary to perform a job function. Access controls provide employees access to PHI based on their job roles since all employees don’t need access to full patient files. For instance, an employee in the billing department does not need access to a patient’s medical information, just as a nurse wouldn’t need access to a patient’s financial information. Access controls require each employee to have unique login credentials designating them the proper level of access to perform their job function.
This is why texting patient information is not the best way to communicate with patients. On a mobile device messages are easily viewable. You can add a passcode to your phone to protect the message itself, but the patient’s name would still be still viewable on a locked phone. When viewed by an unauthorized individual, even with the message concealed, this would be considered a HIPAA breach as patients names are PHI.
- Audit controls monitor who accesses what information, when they access it, and how long they accessed it for. This is an important aspect of HIPAA compliance as it establishes normal access patterns that can be attributed to specific individuals. Audit controls are a key component of detecting unauthorized access to PHI, especially by employees. Monitoring access is not possible with traditional texting platforms. As internal threats to PHI is a growing concern in the healthcare space, the lack of audit controls on texting platforms is an issue.
- Encryption, although not explicitly mandated under HIPAA, is the only way to effectively secure PHI. Encryption converts sensitive data to an unreadable form, requiring decryption key to view the data. Most texting services do not offer encryption which puts PHI at risk.
HIPAA Compliant Texting Platforms
If your practice wishes to communicate with patients via text message, the best solution is to use a HIPAA compliant texting app. These are specifically designed with HIPAA in mind, with access controls, audit controls, and encryption. They usually sync with your electronic medical record (EMR) system, enabling integration with patient records and patient communication.
In addition, if a mobile device is lost or stolen, HIPAA compliant texting apps allow administrators to wipe PHI from the phone, preventing a breach. Several healthcare breaches occur each year when unencrypted devices with access to PHI are lost or stolen. In these cases, there are expensive HIPAA fines issued and remediation efforts are required to prevent similar breaches from occurring in the future.
When utilizing a HIPAA compliant texting app you must first have a signed business associate agreement (BAA) in place. A BAA specifies the protections that must be in place securing protected health information, mandating that both entities are HIPAA compliant. Without a signed BAA, it is not permitted to use a texting app in conjunction with PHI.
Need Assistance with HIPAA Compliance?
Compliancy Group can help! Our cloud-based compliance software, the Guard™, gives you the flexibility to work on your HIPAA compliance from anywhere that has an internet connection. Our expert Compliance Coaches™ will guide you through our six stage implementation process enabling you to Achieve, Illustrate, and Maintain™ HIPAA compliance.