From the time Final Omnibus Rule enacted changes to the Health Insurance Portability and Accountability Act (HIPAA) in 2013, there has been a massive amount of debate regarding HIPAA compliant encryption for text messaging. Much of this debate has been caused by the language used in the technical security measures of the HIPAA Security Rule, which describe the requirements for the encryption of PHI as “addressable” (as opposed to “required”).
Some have taken the wording “addressable” as referring to something that is not immediately “required”, whereas the U.S. Department of Health & Human Services defines “addressable” as:
- A requirement that must be put in place unless,
- A different security measure accomplishes the same aim, or
- The covered body can record an acceptable reason why the requirement has not been put in place.
In relation to HIPAA compliant encryption for text messaging, there are only three possible cases in which the encryption of PHI would not be required and therefore the requirement not put in place:
- Text messages do not include PHI.
- Text messages are only shared with patients (allowable in line with the Privacy Rule).
- Text messages travel via an organization´s internal server and are safeguarded with a firewall.
This means that, for a healthcare group in which medical staff communicate PHI with each other by text via a public service provider, HIPAA compliant encryption for text messaging is basically a “required” requirement.
Other HIPAA Issues to Address
If HIPAA compliant encryption for text messaging was the sole requirement of the HIPAA Security Rule, it would be a fairly basic requirement to resolve. There are quite a number of free and paid-for apps that will encrypt messages shared from a desktop or mobile device, but few of them complete the other administrative, physical and technical security measures of the Security Rule.
Text messages have to be reviewed and recorded. Each user must authenticate their ID before accessing PHI, and mechanisms must be in place to stop unauthorized access to PHI if, for instance, a desktop computer or mobile device is left unattended. Additionally, if a mobile device is stolen, the thief would be able to obtain PHI in its unencrypted format.
Due to these additional issues, it is wise to evaluate secure messaging solutions that have been specifically designed with complete HIPAA compliance in mind. Many healthcare groups have already put in place secure messaging solutions in order to achieve the requirement of HIPAA compliant encryption for text messaging, and enjoyed significant advantages as a result.
The Advantages of Secure Messaging Solutions
With HIPAA compliant encryption for text messaging, medical staff and other members of the healthcare sector can send and receive texts including PHI – either in the body of the message or as an attachment – with the same speed and convenience as they currently do.
As secure messaging solutions have mechanisms to achieve 100% message accountability, phone tag is significantly lessened. This means that medical staff have more time available to attend to their duties and, as a consequence, productivity rises – as does the level of healthcare sent to patients.
All activity on the secure messaging solution is reviewed to ensure the integrity of PHI at rest and on the move. Should a mobile device be stolen, administrative controls permit for the remote deletion of messages and PIN-locking of the device. Other security mechanisms exist to stop PHI from being outside a group’s network, or saved to an external hard drive.