What are the HIPAA rules regarding text messaging?

Medical Record

Labelling text messaging as HIPAA violation is not strictly correct. Depending on the context of the text message, who the text message is being shared with, or mechanisms established to ensure the integrity of Protected Health Information (PHI), texting can be in compliance with HIPAA rules regarding text messaging in certain circumstances.

Any confusion regarding texting being a violation of HIPAA comes from the complex language used in the Privacy and Security Rules. These rules do not refer to texting as such, but they do lay down certain stipulations that apply to electronic communications in the healthcare sector.

So, for instance, it is okay to share messages by text provided that the content of the message does not contain “personal identifiers”. It is okay for a doctor to send text messages to a patient, provided that the message adheres with the “minimum necessary standard”. It is also okay to send messages by text message when the mechanisms are implemented to comply with the technical safeguards of the HIPAA Security Rule.

HIPAA Security Rule Technical Safeguards

The HIPAA Security Rule technical safeguards are the most relevant towards addressing the question “When is texting in violation of HIPAA?”. This section of the HIPAA Security Rule refers to access controls, audit controls, integrity controls, methods for ID authentication, and transmission security mechanisms when PHI is being transmitted digitally. The requirements include:

  • Access to PHI must be restricted to authorized users who require the information to do their duties.
  • A system must be put in place to monitor the activity of authorized users when accessing PHI.
  • Those with authorization to access PHI must confirm their identities with a unique, centrally-issued username and PIN.
  • Policies and procedures must be established to stop PHI from being inappropriately changed or destroyed.
  • Data transmitted beyond an organization´s internal firewall must be encrypted to make it unusable if it should be intercepted in transit.

Standard “Short Message Service” (SMS) and “Instant Messaging” (IM) text messages often fail to meet all of these requirements. Senders of SMS and IM text messages have no control over the end destination of their text messages. They could be shared with the wrong number, forwarded by the intended recipient or intercepted while in transit. Copies of SMS and IM messages also be kept on service providers´ servers indefinitely.

There is no message accountability with SMS or IM text messages because anybody could obtain someone´s mobile device and use it to share a message – or indeed change a received message before forwarding it on. For these specific reasons (and many more) sending PHI by standard, non-encrypted, non-monitored and non-controlled SMS or IM is texting in violation of HIPAA.

How This Causes an Issue Problem for Healthcare Organizations

Texting in violation of HIPAA is a major issue for healthcare groups. In recent years, an increasing number of medical professionals have come to rely on their personal mobile devices to support their workflows. Indeed, many healthcare organizations have been keen to put in place BYOD policies because of the speed and convenience of modern technology and due to the financial benefits.

However, with approximately 80% of medical professionals now using personal mobile devices, there is a serious risk of PHI being accessed by unauthorized personnel. Most text messaging apps on mobile devices have no log-in or log-off credentials and, if a mobile device is lost or stolen, there is a major risk that messages storing PHI could be shared to the public domain.

HIPAA breach fines can be considerable. The fine for a single breach of HIPAA can be as high as $50,000 per day for every day the vulnerability responsible for the breach is not dealt with. Healthcare organizations that do not respond to texting in violation of HIPAA can also face civil charges from the patients whose data has been shared if the breach results in identity theft or other fraud.

Address Text Messaging Issues with a Secure Messaging Solution

Secure text messaging solutions resolve texting issues by containing PHI within a private communications network that can only be accessed by authorized users. Access is granted via secure messaging apps that function in the same manner as commercially available messaging apps, but with security mechanisms in place to stop an accidental or deliberate disclosure of PHI.

When using the app, authorized users enjoy the same speed and convenience as SMS or IM text messaging, but cannot send messages containing PHI outside of the communications network, copy and paste encrypted data or save it to an external storage device. Should there be a duration where the app is inactive, the user is automatically logged off.

All activity on the communications network is observed to ensure 100% message accountability and to avoid texting in violation of HIPAA. If a mobile device onto which the secure messaging app has been downloaded is lost or stolen, administrators can remotely wipe all content sent to or created on the app and PIN-lock it to stop further use.