What are the HIPAA Rules Regarding Text Messaging?

Medical Record

Labeling text messaging as a HIPAA violation is not strictly correct. Whether text messages are a violation of HIPAA Rules depends on the content of the text message, who the text message is being sent to, and the mechanisms established to ensure the confidentiality and integrity of protected health information (PHI). In certain circumstances, texting can be in compliance with HIPAA rules.

Any confusion regarding texting being a violation of HIPAA comes from the complex language used in the Privacy and Security Rules. These rules do not refer to texting as such, but they do lay down certain requirements that apply to electronic communications in the healthcare sector.

For instance, it is okay to send messages by text provided that the content of the message does not contain “personal identifiers”. It is okay for a doctor to send text messages to a patient, provided that the messages adheres to the “minimum necessary standard”. It is also okay to send information by text message when  mechanisms are implemented to comply with the technical safeguards of the HIPAA Security Rule.

HIPAA Security Rule Technical Safeguards

The HIPAA Security Rule technical safeguards are the most relevant towards addressing the question “When is texting in violation of HIPAA?”. This section of the HIPAA Security Rule refers to access controls, audit controls, integrity controls, methods for ID authentication, and transmission security mechanisms when PHI is being transmitted digitally. The requirements include:

  • Access to PHI must be restricted to authorized users who require the information to perform their work duties.
  • A system must be put in place to monitor the activity of authorized users when accessing PHI.
  • Those with authorization to access PHI must confirm their identities with a unique, centrally-issued username and PIN.
  • Policies and procedures must be established to stop PHI from being inappropriately changed or destroyed.
  • Data transmitted beyond an organization’s internal firewall must be encrypted to make it unusable if it is intercepted in transit.

Standard “Short Message Service” (SMS) and “Instant Messaging” (IM) text messages often fail to meet all of those requirements. Senders of SMS and IM text messages have no control over the message after it has been sent. Messages could easily be sent to an incorrect recipient, forwarded on by an intended recipient to an individual unauthorized to view the information, and SMS and most IM platforms do not encrypt data, so it is easy for messages to be intercepted in transit and viewed. Further, copies of SMS and IM messages may be kept on service providers’ servers indefinitely.

There is no message accountability with SMS and most IM text message services. It is therefore recommended never to use these communications platforms for sending PHI. To send PHI via SMS or via an IM service that is not covered by a business associate agreement with the covered entity is a violation of HIPAA.

How This Causes an Problems for Healthcare Organizations

Texting in violation of HIPAA is a major issue for healthcare organizations. In recent years, an increasing number of medical professionals have come to rely on their personal mobile devices to support their workflows. Indeed, many healthcare organizations have been keen to put in place BYOD policies because of the speed and convenience of modern technology and due to the financial benefits that can be gained from allowing the use of the devices in the workplace.

However, with approximately 80% of medical professionals now using personal mobile devices, there is a serious risk of PHI being accessed by or disclosed to unauthorized individuals. Most text messaging apps on mobile devices require no log-in or log-off credentials by default, so if a mobile device is lost or stolen, there is a major risk that messages containing PHI that are stored on the device could be viewed.

HIPAA breach fines can be considerable. The fine for a single breach of HIPAA can be as high as $50,000 per violation. Healthcare organizations that do not respond to texting that violates HIPAA Rules could receive significant financial penalties.

Address Text Messaging Issues with a Secure HIPAA-Compliant Messaging Solution

Secure text messaging solutions resolve texting issues by containing PHI within a private communications network that can only be accessed by authorized users. Access is granted via secure messaging apps that function in the same manner as commercially available messaging apps, but with security mechanisms in place to stop an accidental or deliberate disclosure of PHI.

When using the app, authorized users enjoy the same speed and convenience as SMS or IM text messaging, but cannot send messages containing PHI outside of the communications network, copy and paste data outside the app, or save it to an external storage device. Should there be a duration where the app is inactive, the user is automatically logged off.

All activity on the communications network is monitored and an audit trail is maintained. With these apps, in contrast to SMS and IM services, there is 100% message accountability. If a mobile device onto which the secure messaging app has been downloaded is lost or stolen, administrators can remotely wipe all content sent to or created on the app and PIN-lock it to stop further use.

With these apps healthcare professionals have the convenience of text messaging, without the risk of committing an accidental HIPAA violation.