Enterprise IT security news and advice

Is Texting a Violation of HIPAA?

The use of SMS messages or an instant messaging service in a healthcare setting has potential to violate HIPAA Rules. When is texting and instant messaging acceptable and when is texting a violation of HIPAA Rules?

When is Texting a Violation of HIPAA?

Texting is common in the healthcare industry, as in many other industry sectors. Many healthcare organizations have been keen to implement BYOD policies and take advantage of the convenience of mobile devices, which can result in faster communication and can help to cut costs.

The healthcare industry may have embraced mobile technology, but there is considerable confusion over the use of SMS messages in healthcare and whether texting is a violation of HIPAA Rules. HIPAA does not specifically mention SMS messages as the legislation is not technology specific, adding to the confusion.

HIPAA may not mention SMS messages, but the HIPAA Security Rule does cover electronic communications with respect to PHI and applies to SMS communications and instant messaging services.

There is certainly nothing wrong with healthcare professionals sending texts to one another. It is not a HIPAA violation to use SMS messages, and it is perfectly acceptable for doctors to send SMS messages to patients if that is how patients prefer to receive information and have given their consent to receive SMS messages.

It is also acceptable for text messages to be used to communicate PHI, but only if the technical safeguards stipulated in the HIPAA Security Rule are applied. If not, texting is a violation of HIPAA Rules.

IM and SMS Messages and the HIPAA Security Rule

The technical safeguards detailed in the HIPAA Security Rule cover access controls, audit controls, and controls to ensure the confidentiality, integrity and availability of PHI is safeguarded.

While there are many aspects of HIPAA that apply to text messages, the key requirements are the need to ensure PHI can only be accessed by authorized individuals.

HIPAA also requires a system to be implemented that allows communications to be monitored. An audit trail must be maintained. Healthcare organizations must also introduce policies and procedures to prevent PHI from being altered or accidentally deleted. Any communication of PHI must be safeguarded to prevent interception and accidental disclosure. If PHI is sent beyond the protection of a firewall it must be encrypted or protected by an equivalent measure that provides a similar level of security.

SMS messages do not meet the requirements of the HIPAA Security Rule, so texting is a violation of HIPAA if ePHI and personal identifiers are included in the messages. SMS messages do not have appropriate access controls to prevent unauthorized individuals from gaining access to messages. If a mobile device is lost or stolen, SMS messages containing PHI could be viewed by the person who finds the device or by the thief who stole it.

Messages could also be intercepted in transit as they are not encrypted. SMS messages are stored on the servers of service providers and can remain there indefinitely. SMS messages could also be sent to the incorrect recipient and there is no audit trail to allow communications to be monitored.

So, is texting a violation of HIPAA? Yes. Unless a secure text messaging platform is used.

Covered Entities Can Avoid a HIPAA Violation Penalty by Using a Secure Text Messaging Service

A HIPAA-compliant secure text messaging service incorporates several safeguards to prevent unauthorized access and keeps all communications secure. Access controls are incorporated to ensure only the intended recipient of a message can view messages. Message recipients are required to authenticate their identities before access to the messages is granted. Users are also logged off from the system following a predefined period of inactivity. Devices can also be remotely wiped in the event of loss or theft of a device. All message activity is monitored and a HIPAA-compliant audit trail is maintained.

Messages can only be sent to individuals who have been added to the network by the administrator and are sent via a private communications network. Communications are also protected by end-to-end encryption to ensure messages cannot be intercepted.

In short, secure messaging solutions incorporate all of the necessary security controls to satisfy HIPAA Rules. Service providers will also sign business associate agreements with healthcare organizations.

Provided one of these services is used, healthcare professionals can text PHI without violating HIPAA Rules. However, without such a service, sending ePHI via text message is a HIPAA violation and could attract a significant penalty for non-compliance.