There is a fair amount of confusion regarding HIPAA laws and texting. Some IT professionals believe that texting Protected Health Information (PHI) is permissible in certain circumstances, whereas others claim that texting should never be used to communicate PHI.
The truth of the matter is that texting is not referred to in HIPAA at all – only that certain administrative, physical and technical security measures have to be in place to ensure the integrity of PHI when it is “in transit” – i.e. being sent by any electronic method.
The nature of the administrative, physical and technical security measures would suggest that “Short Message Service” (SMS) texts and “Instant Message” (IM) texts are not HIPAA compliant. This is because the person that sent the message does not have absolute control over third party access to the message once it has left their mobile device.
Before looking at what security measures have to be put in place to resolve conflicts between HIPAA laws and texting, let´s first look at some scenarios that explain why they are necessary.
When a text message that includes PHI leaves a mobile device, there is a chance that it could be sent to the incorrect number, that the recipient of the message subsequently loses their mobile phone, or that the text message is intercepted on the move. It should also be pondered that copies of SMS and IM messages remain indefinitely on service providers´ servers.
To address these potential breaches of PHI, the HIPAA laws about communicating PHI state (among other guidelines) that there should be a system established where messages can be remotely retracted and deleted. To stop unauthorized access to PHI in transit or while a message is saved on a server, the content of the message and any attachments must be encrypted.
Although applications are now in place that enable you to retract a sent message, they are not much use if it is your mobile device that has been illegally taken. Apps also exist that allow you to encrypt your text messages. However, in order for this to be effective in a healthcare body, everybody would have to be using the same encryption software, and the decryption key would have to be stored on a different device.
In addition to this, other regulations concerning HIPAA laws and texting PHI stipulate that there has to be a mechanism in place to validate the identity of the message sender and the recipient. There must also be a system of message accountability in place, and all transmissions of PHI have to be reviewed and recorded. This means that every text message including PHI has to be logged.
To address any confusion about HIPAA laws and texting, it is advisable for healthcare organizations to investigate secure messaging solutions. Secure messaging solutions have all the security measures in place to ensure compliance with the HIPAA laws for sending PHI without sacrificing the speed and convenience of SMS and IM.
The solutions work by establishing a private communications network, through which authorized users can share and receive PHI either via a desktop computer or via apps that can be installed on any mobile device. Activity on the network is reviewed by a secure messaging platform – which also results in less access logs and audit reports to assist with the preparation of risk assessments – while security mechanisms allow administrators to remotely delete PHI from a lost or stolen mobile device.