We often see health care providers using text messages to quickly communicate small but important pieces of information to Home Health Aides and Nurses about their patients. In general, this enhances the quality of health care and it speeds the flow of information. However, the HIPAA Security and Privacy Rules apply to these micro-communications and it is easy for Home Health Organizations to end up out of compliance.
How does HIPAA apply to Text Messaging?
Text messages are electronic communications. If the content of such a message contains PHI (protected health information), then the text message must comply with HIPAA — and it’s the sender’s responsibility to ensure that it does.
While text messages are quite short, in general:
Modern smart phones allow these messages to be larger and to contain multimedia (e.g. images)
All it takes is one piece of identifying information (e.g. a patient name or id number or phone number) along with one piece of private information (e.g. a lab result, diagnosis, or appointment schedule) and the text message is ePHI.
But Why is Standard Text Messaging not HIPAA Compliant?
If a message containing PHI is being sent via text (SMS) between staff members, then according to HIPAA:
The mobile devices of each staff member should be configured and locked down appropriately
The text message must be communicated from the sending device, though the mobile provider(s) to the recipient’s device in an encrypted manner
The encrypted text message should not be decrypted and stored on the cellular provider’s or any third party’s systems in ways that can be accessed by unauthorized personnel
The healthcare company must have a Business Associate Agreement with any vendors though which their ePHI flows. This ensures that the ePHI will be respected throughout its life cycle, as required by the HIPAA Security Rule and the Omnibus final rule. Encryption by itself is not enough.
The challenges with HIPAA compliance and text messaging are that:
Cellular and messaging providers (e.g. AT&T, Verizon, Sprint, T-Mobile, etc.) will not be signing HIPAA Business Associate Agreements with you
You cannot be guaranteed that the messages travels securely from point to point, that the providers are not reading and/or archiving them, that the government is not intercepting them for anti-terrorism purposes, etc. In fact, there is no guarantee or expectation that any regular text message is transmitted securely the whole way and that it is not saved insecurely in system backups at locations out of your control and outside the scope of HIPAA compliance
Even if you are only sending a text message to yourself, it has to go out through the non-compliant networks of the cellular providers before it gets back to you.
In short, there is no guarantee or expectation of real privacy with any text message. Texts should never be used when there is a chance that ePHI could be communicated.
So, what can you do?
Use of regular text messages (and that includes Apple’s iMessage replacement) should be discounted for use in a HIPAA situation. There are alternatives:
Use secure email (and push email for very fast notifications).
Use specialized HIPAA-compliant Messaging Apps. This is much better than actual text messaging; however, you should be sure that any such company is willing to sign a Business Associate Agreement with you as your data will likely be passing through their computer networks. You should also be sure that use of such an App actually meets your organizations HIPAA needs (e.g. includes archival, backups, emergency access, etc.) Note: just because a company claims that their services are “HIPAA compliant”, doesn’t mean that they are up to the HITECH and Omnibus standards — many of these claims are old or not necessarily true. It is up to you verify that your use of their services is proper for your own particular HIPAA requirements!
If you are still using text messages within your organization and want a secure way to relay sensitive patient information, call us today for a private consultation.