Healthcare organizations and other covered entities are required to put in place a HIPAA text messaging policy as per the administrative security measures of the HIPAA Security Rule. Under §164.308(a)5(i) – commonly referred to as the “Workforce Training and Management” section – the administrative security measures demand that covered entities “implement a security awareness and training program for all members of its workforce.”
“Security awareness” takes in a wide range of potential issues, but none is more significant than the security of Protected Health Information (PHI) – particularly when it is being sent electronically. Almost all of the HIPAA Security Rule is focused on safeguarding PHI, with many measures required to prevent unauthorized access to confidential data. One area of the Security Rule in particular – §164.312(e)1 – is focused on transmission security.
This states that covered entities must “implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.” AS a result of the growth of BYOD policies and the volume of medical workers that use personal mobile devices to operate their workflows, texting has become the number one channel of electronic communication for transmitting PHI.
Due to this a HIPAA text messaging policy must be in place so that medical professionals – and other employees of a covered entity – are aware of under in what instances it is allowable to text PHI, and how the texting of PHI should be carried out. As a result of the possible outcomes of a breach of PHI, a HIPAA text messaging policy should also include details of the sanctions that will be applied to any employee who breaches the covered entity’s policies and procedures.
Aren’t These Security Measure “Addressable” Instead of “Required”?
Although the safeguards that are linked to security awareness and the transmission of PHI are titled “addressable” requirements in the HIPAA Security Rule, there is often some confusion regarding what “addressable” actually refers to. “Addressable” requirements are those which are “required” unless:
- a) One, or more than one, alternate security measures are implemented that achieve the same goal, or
- b) A risk assessment has been completed and the security measure is not required to safeguard the integrity of PHI.
Text messages within the healthcare sector are normally broadcast via public networks and public Wi-Fi networks – effectively meaning the implementation of security measures to protect the content of text messages is a “required” safeguard. In tandem with this responsibility to secure PHI in transit comes the responsibility to train staff on the measures brought in to protect the content of text messages – whatever they may be. Due to this there is the requirement to devise, put in place and police a HIPAA text messaging policy.
What Must be Included in a HIPAA Text Messaging Policy?
The provisions made in a HIPAA text messaging policy will be determined by many factors. The manner of healthcare provided, the size of a healthcare group and the organization’s reliance on texts as a form of communication are each factors that would influence the contents of a HIPAA text messaging policy.
Ideally, healthcare bodies should have thorough comprehension of the HIPAA requirements for sharing PHI electronically (including emails along with text messages) and come up with a HIPAA text messaging policy based on their own individual requirements and weaknesses.