Enterprise IT security news and advice

Text Messaging and HIPAA Compliance

The Health Insurance Portability and Accountability Act is United States legislation that sets the standard for protecting sensitive data of patients. Among other things, it requires that such sensitive data, often called “protected health information” or PHI, is stored, transmitted, and shared in a safe and confidential manner. The regulations apply to healthcare providers, health plans, healthcare clearinghouses, and business associates (BAs) of HIPAA-covered entities. This applies to all forms of PHI, including electronic (ePHI). These covered entities (CEs) and their BAs are expected to develop and follow procedures to ensure that the integrity of the ePHI is maintained.

HIPAA has strict guidelines on how confidential information may be transmitted between individuals. One area that has drawn much debate in recent years is the use of text messages, or “short message services” (SMS), to communicate PHI. Both the Privacy Rule and the Security Rule cover the use of electronic means to transmit PHI, but the language used is complex. Organisations will require a thorough understand of HIPAA regulations to ensure that they are not accidentally in violation of the rules; the fines for non-compliance are hefty, and ignorance of the regulations is not deemed an acceptable excuse.

Neither the Privacy Rule nor the Security Rule explicitly ban the use of text messages while communicating ePHI. However, that is not to say that text messages are fully HIPAA compliant. There are several issues that can arise with the use of text messages to transfer confidential information if the appropriate safeguards are not in place. For example, if they are sent to the wrong recipient, they cannot be recalled. If an unencrypted mobile device is stolen, then an unauthorised individual may be able to access the ePHI of many patients. Hacking has become a huge threat to the healthcare industry in recent years due to the black market value of healthcare information. If text messages are sent over services such as WhatsApp or iMessage, then they may be accessed through a public WiFi network. Text messages are stored indefinitely on the provider’s servers, adding more security risks to the mix.

Text messages that do not contain any ePHI or “personal identifiers” are HIPAA compliant. They may also HIPAA-compliant if they follow the “minimum necessary” standard; when information is shared, the amount shared should be restricted to the minimum necessary information to achieve the specific purpose for which it is disclosed. However, in general, text messages should not be considered HIPAA-compliant.

HIPAA has been updated since it was first introduced in 1996 to account for the updates in technology and the widespread use of text messages and electronic communications. In 2000, the Privacy Rule was introduced to HIPAA regulations to update the policies regarding the use and disclosure of PHI, including in an electronic form. The Security Rule was introduced in 2003 to establish further protections on ePHI. Covered entities (CEs) must ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit with the appropriate administrative, technical, and physical safeguards.

Some of the safeguards required by HIPAA’s Security Rule include:

  • audit controls
  • integrity controls
  • access controls
  • ID authentication
  • transmission security

For example, in order to meet the standards required by the access controls, every user in the organisation’s network must be assigned a unique login and PIN for the device which they use to transmit the ePHI, such as a mobile device or laptop. Therefore, all of the communications relating to the ePHI may be monitored and logged, and there is accountability for all messages. Furthermore, any device which is used to transmit ePHI must have an automatic logoff function if the device is left unattended to prevent unauthorised access to the device and the information it holds. The standard for transmission security includes specifications for integrity open controls and encryption that CEs must consider thoroughly. Any ePHI sent as an attachment to a text message must be “unreadable, undecipherable and unusable”.

Secure Messaging Solutions

A viable alternative to the use of text messages in transmitting ePHI is implementing a secure messaging system. These systems are often easy for individuals to switch to using; the interface is nearly identical to normal text messaging software. However, they are fundamentally more secure than text messages, as their software has inbuilt security systems to provide the necessary safeguards for the transmission of ePHI. The use of a secure messaging system is a good way of allowing users the benefits of instant messaging which providing compliance with HIPAA regulations.

Secure messaging systems use encryption to protect the information contained in the text message and its attachments. Each individual is issued a unique ID, and two-step authentication is often used to access the device. The systems also only allow for the information to be sent within the organisation’s network, reducing the chances of accidental breaches of ePHI. The messages are archived on a secure server, which also allows for facile retrieval of the information should it be needed again. If a device is lost or stolen, the system allows for administrators to remove information from the device and remove it from the network remotely. All activity on the secure system’s network is monitored, so there is accountability for all messages sent on the system.

Conclusions on HIPAA-Compliant Text Messaging

Text messages are an efficient way for information to be transferred between individuals in an organisation. They allow for easier collaboration, and quick response times in comparison to other methods such as email. However, they pose a serious threat to the security of ePHI if they are not used in an appropriate manner. Most messaging apps do not have adequate safeguards to ensure the contents of the messages remain secure. Secure messaging systems provide an alternative which meets all of the technical and administrative safeguards needed to prevent unauthorised access to ePHI. This helps ensure medical professionals and those in the healthcare industry ensure that the use of text messages can be fully HIPAA-compliant.