A HIPAA texting policy is a document that should be put together after a risk assessment has been completed to identify any weaknesses in the way PHI is currently communicated between employees, medical professionals and Business Associates.
The document should stipulate under what instances it is allowable to send PHI by text, guidelines for the way in which PHI should be sent by text, and what sanctions will be applied if the HIPAA texting policy is not complied with.
The aim of the document is to make sure everybody who has access to PHI is fully aware of their duties to safeguard its integrity. HIPAA is an exceptionally complex piece of legislation, and it is important that potential misinterpretations of the legislation are not permitted to develop into bad practices.
Problems with HIPAA Compliant Texting Policies
There can be problems with HIPAA compliant texting policies. Not every healthcare group or covered entity has a mechanism in place for monitoring access to and communication of PHI, and many medical facilities still allow their employees to share text messages including PHI from personal mobile devices without the necessary safeguards in place.
This means that any HIPAA texting policy would be unenforceable, unless it completely forbade the use of text messages in the workplace. However, text messaging has been seen to speed up the communications cycle and enhance productivity in a medical group, so completely prohibiting the use of text messages is likely to be counter-productive.
A further issue may crop up if an employee were to lose their mobile device or it was stolen. A significant number of PHI breaches are due to lost and stolen mobile devices and, with no way to remotely delete messages received on the device, healthcare organizations would be exposed to regulatory fines and civil action if the loss or theft lead to the unauthorized access of PHI.
How Secure Messaging Overcomes the Problems
A solution to these problems is for healthcare groups to implement a secure messaging platform. Secure messaging platforms create a private network that encapsulate text messages, permits the monitoring of user activity, and has administrative controls to remotely retract and erase messages on lost or stolen devices.
The platform allows authorized users to access the private network only after they have authenticated their identity with a centrally-issued username and PIN. Thereafter, authorized users can send and receive messages including PHI with the same speed and convenience as standard, non-compliant SMS text messages.
Other features on the platform help healthcare groups adhere with the administrative, physical and technical requirements of the HIPAA Security Rule. However, the implementation of a secure messaging platform does not take over from the requirement to produce a HIPAA texting policy. It supplies a mechanism for monitoring user activity and thus make HIPAA compliant texting policies enforceable.
A HIPAA texting policy is just one of the many policies that have to be developed by a healthcare group in order to be compliant with HIPAA. Security management policies, information access policies, security incident policies and contingency plans are all necessary under the HIPAA Security and Privacy Rules.