Even though HIPAA does not specifically rule out sharing Protected Health Information (PHI) by text, a system of administrative, physical and technical safety measures has to be in place to ensure the confidentiality and integrity of PHI when it is “in transit” – i.e. being cd between medical professionals or covered entities.
Typical SMS messages – the sort of message typically sent from one mobile device to another – are not HIPAA compliant. This is due to the fact that they lack encryption, there are no tools to prevent a text message being sent to a wrong number, text messages are stored indefinitely on service suppliers’ servers, and text messages sent in plain text can be accessed.
Additionally, mobile devices containing PHI frequently go missing or are stolen – potentially exposing PHI to unauthorized access if data on the devices is read. Due to this, without taking appropriate precautions to ensure the confidentiality and integrity of PHI on the move, the only way an affirmative reply that could be given to the question “is text messaging HIPAA compliant” is if the text message did not include any PHI at all.
Messaging in a HIPAA Compliant Manner
SMS messages are only one text messaging solution. There are now many text messaging services in use such as Facebook Messenger, Skype, and WhatsApp. With WhatsApp, all messages are encrypted, which meets certain HIPAA compliant messaging requirements, but not all of them.
In the case of WhatsApp, messages are encrypted on the sender’s phone and remain encrypted until they land in the receiver’s device. The messages are broadcast through a secure, encrypted tunnel, satisfying HIPAA encryption requirements.
However, ePHI sent using WhatsApp is not stored in a safe manner and the access controls used are not up to the standards required by HIPAA. For example, if your phone was to go missing, unless other security controls have been used on the device, an unauthorized person would be able to access your messages, and any ePHI in your WhatsApp account. HIPAA compliant messaging is not just about encrypting data in transit. There must be proper access controls, audit controls, and secure storage for messages containing ePHI.
How to Safeguard the Integrity of PHI on the Move
A possible way to address the “is text messaging HIPAA compliant” issue is to adapt a secure messaging system. Secure messaging works in a similar way to text messaging in that users can type out a message, add an attachment and send it to a col-worker. However, security mechanisms within the secure messaging solution put in place the necessary safeguards to ensure the integrity of PHI on the move.
Messages are encrypted, they can only be shared with colleagues within a covered entity´s communications network, the messages are held on a separate, secure server and administrative controls allow the remote retraction and deletion of messages if a mobile device goes missing or is stolen. As a result of the ID authentication process, administrators can also PIN-lock apps downloaded to a mobile device.
Other mechanisms are in place to assign message lifespans to communications sent via a secure messaging solution, while users are automatically logged out of their secure messaging apps after a period of inactivity to stop authorized access to PHI. All user activity is reviewed and logged to oversee how users are sending PHI in text messages and to ensure that secure messaging policies are being adhered to.
The Advantages of HIPAA Compliant Text Messaging
Along with to ensuring the integrity of PHI in transit, there are massive benefits associated with implementing a solution allow HIPAA compliant text messaging. The monitoring of user activity plus features such as delivery alerts and read receipts ensure message accountability. This in turn minimizes phone tag and accelerates the communication cycle.
Sending and receiving PHI “on the go” helps on-call doctors and community nurses, while in-house medics can also receive laboratory reports, wound images and test results with secure messaging. A group messaging feature allows collaboration, and can be used to speed up hospital admissions and patient discharges – saving time, driving up productivity and enhancing patient satisfaction.
Further advantages can lead to the integration of a secure messaging solution with an EMR. The role of updating patient notes can be shared among medical workers, consultants can prioritize their workflows by arranging their EMR alerts and – according to study conducted in Philadelphia – “advanced EMRs” lessen medication errors (30%) and patient safety incidents (27%).