Sending patient information by text message has generally been considered a breach of the Health Insurance Portability and Accountability Act (HIPAA), but this is not necessarily true. Text communications between a medical professional and a patient are allowed, provided that the doctor applies the “minimum necessary standard” to reduce the risk of the unauthorized exposure of Protected Health Information (PHI).
Electronic communications between other healthcare professionals and Business Associates are also permitted, provided that all parties involved adhere to the technical requirements of the HIPAA Security Rule. Sadly most “traditional” channels of text communication do not comply with the technical requirements of the HIPAA Security Rule – exposing healthcare authorities to the risk of civil action and massive fines when a breach of PHI occurs.
HIPAA Security Rule Technical Safeguards
The technical requirements of the HIPAA Security Rule are a numbers of standards intended to prevent unauthorized access to PHI and safeguard the integrity of Protected Healthcare Information while it is on the move. The requirements concern who has access to PHI, how it is used, how it is secured against inappropriate alteration, the methods for ID authentication, and transmission security.
The requirements apply to send patient information using SMS, communicating by IM, or sending an email beyond a healthcare group’s internal servers. They need access to PHI is limited to those who need access to do their jobs (authorized users), that a system of reviewing access to PHI is implemented, that authorized users log into and out of a communications solution, and that all PHI send beyond an organization´s network is encrypted.
The Problem of Texting Patient Information for Healthcare Authorities
Send patient information via text message in compliance with HIPAA is a major issue for healthcare bodies – particularly those that have encouraged BYOD policies. It has been calculated that as many as 80% of medical workers use personal mobile devices to help streamline their workflows, and most would be reluctant to give up the speed and convenience of their Smartphones, tablets or laptops.
Regardless, the risk of a breach of PHI is substantial. It only takes one lost or stolen Smartphone – or one unattended Smartphone – holding unencrypted PHI for a healthcare authority to be liable for the unauthorized disclosure of PHI. With fines of up to $50,000 per day for each offence, it makes financial sense for a healthcare organization to find a solution to the problem of texting patient information.
Addressing Patient Texting Problems with Secure Messaging
Secure messaging works in a similar fashion to SMS and IM inasmuch as authorized users can text each other, share images and join group messaging threads to communicate regarding patient healthcare. However, the secure messaging apps that are used to link to a healthcare group’s network have mechanisms in place to comply with the technical requirements of the HIPAA Security Rule.
This means that all activity on the network is reviewed, safeguards are in place to stop PHI being sent outside of a group’s network and users are logged out of the network after a period of inactivity. If an authorized user loses their Smartphone, mechanisms are in place to remotely erase any communications on the app and PIN-lock it to stop unauthorized access to PHI.