Why Texting Should Not be Used for Patient Communication

The HIPAA Security Rule mandates that there must be access controls, audit controls, and encryption securing protected health information (PHI). Generally, these are not available with traditional texting platforms such as iMessage or WhatsApp. 

• Access controls ensure that PHI is accessed in accordance with the “minimum necessary standard.” This standard requires that employees access only the minimum PHI necessary to perform a job function. Access controls provide employees access to PHI based on their job roles since all employees don’t need access to full patient files. For instance, an employee in the billing department does not need access to a patient’s medical information, just as a nurse wouldn’t need access to a patient’s financial information. Access controls require each employee to have unique login credentials designating them the proper level of access to perform their job function.  

This is why texting patient information is not the best way to communicate with patients. On a mobile device messages are easily viewable. You can add a passcode to your phone to protect the message itself, but the patient’s name would still be still viewable on a locked phone. When viewed by an unauthorized individual, even with the message concealed, this would be considered a HIPAA breach as patients names are PHI.

• Audit controls monitor who accesses what information, when they access it, and how long they accessed it for. This is an important aspect of HIPAA compliance as it establishes normal access patterns that can be attributed to specific individuals. Audit controls are a key component of detecting unauthorized access to PHI, especially by employees. Monitoring access is not possible with traditional texting platforms. As internal threats to PHI is a growing concern in the healthcare space, the lack of audit controls on texting platforms is an issue. 

• Encryption, although not explicitly mandated under HIPAA, is the only way to effectively secure PHI. Encryption converts sensitive data to an unreadable form, requiring  decryption key to view the data. Most texting services do not offer encryption which puts PHI at risk. 

HIPAA Compliant Texting Platforms

If your practice wishes to communicate with patients via text message, the best solution is to use a HIPAA compliant texting app. These are specifically designed with HIPAA in mind, with access controls, audit controls, and encryption. They usually sync with your electronic medical record (EMR) system, enabling integration with patient records and patient communication.

In addition, if a mobile device is lost or stolen, HIPAA compliant texting apps allow administrators to wipe PHI from the phone, preventing a breach. Several healthcare breaches occur each year when unencrypted devices with access to PHI are lost or stolen. In these cases, there are expensive HIPAA fines issued and remediation efforts are required to prevent similar breaches from occurring in the future. 

When utilizing a HIPAA compliant texting app you must first have a signed business associate agreement (BAA) in place. A BAA specifies the protections that must be in place securing protected health information, mandating that both entities are HIPAA compliant. Without a signed BAA, it is not permitted to use a texting app in conjunction with PHI.

Need Assistance with HIPAA Compliance?

Compliancy Group can help! Our cloud-based compliance software, the Guard™, gives you the flexibility to work on your HIPAA compliance from anywhere that has an internet connection. Our software will guide you through our implementation process enabling you to Achieve, Illustrate, and Maintain™ HIPAA compliance.