Is Texting PHI in Violation of HIPAA?
Under certain circumstances, transmitting protected health information (PHI) via text message is a violation of the Health Insurance Portability and Accountability Act (HIPAA). Whether or not the text message is a violation depends on the contents of the message, to whom the message was sent, and the protections placed on the PHI while in transit.
Texting oﬀers many benefits to healthcare professionals, primarily by allowing rapid communication and improving eﬃciency in patient care. Therefore, texting is an attractive communication option and is becoming increasingly widespread.
HIPAA addresses using text messages to transmit PHI in its Privacy and Security Rules. However, the rules are somewhat are ambiguous. Many healthcare organizations have reported confusion as to what constitutes a texting violation.
HIPAA states that employees of covered entities (CEs) can send messages by text if the content of the message does not include “personal identifiers”. They also allow for a doctor to send text messages to a patient if that message complies with the “minimum necessary standard” they outline. All messages sent by text must comply with the technical safeguards of the HIPAA Security Rule to prevent a violation from occurring.
HIPAA’s Security Rule addresses the access controls, audit controls, integrity controls, methods for ID authentication, and transmission security mechanisms when PHI is being transmitted electronically.
The requirements outlined by these rules include:
- Access to PHI must be limited to authorized users who require the information to do their jobs.
- A system must be implemented to monitor the activity of authorized users when accessing PHI.
- Those with authorization to access PHI must authenticate their identities with a unique, centrally-issued username and PIN.
- Policies and procedures must be introduced to prevent PHI from being inappropriately altered or destroyed.
- Data transmitted beyond an organization´s internal firewall should be encrypted to make it unusable if it is intercepted in transit.
These safeguards apply any time PHI is sent via text message. However, the standard “Short Message Service” (SMS) and “Instant Messaging” (IM) text often fail to adhere to any of these guidelines. One of the many breaches regards the inability of SMS and IM text message senders to control the ultimate destination of their messages. There are several risks involved while sending texts, such as the text being sent to the wrong number, forwarded by the intended recipient or intercepted while in transit. The fact that copies of SMS and IM messages also remain on service providers´ servers indefinitely poses a severe security risk.
There is no message accountability with SMS or IM text messages because of the ease in which someone can use someone else’s mobile device to send or edit a message. Therefore, CE cannot guarantee the integrity of the PHI can be maintained.
Most messaging apps on mobile devices have the user permanently logged in and, if a mobile device is lost or stolen, there is a significant risk that messages containing PHI could be released into the public domain.
For these reasons communicating PHI by standard, non-encrypted, non-monitored and non- controlled SMS or IM is texting in violation of HIPAA.
Resolution: Secure Messaging Solution
Although HIPAA covered entities cannot use text messaging to transmit PHI, there is a HIPAA- compliant alternative: secure messaging solutions. Secure messaging solutions resolve texting issues by encapsulating PHI within a private communications network that can only be accessed by authorized users. Access is gained via secure messaging apps that function in the same way as commercially available messaging apps. The significant advantages are the security mechanisms in place to prevent accidental or malicious disclosure of PHI.
Once logged into the app, authorized users enjoy the same speed, and convenience as SMS or IM text messaging, but are unable to send messages containing PHI outside of the communications network, copy and paste encrypted data or save it to an external hard drive.
Should there be a period of inactivity on the app, the user is automatically logged oﬀ.
All activity on the communications network is monitored by another party to ensure total message accountability and to prevent texting in violation of HIPAA. If a mobile device onto which the secure messaging app has been downloaded is lost or stolen, administrators can remotely wipe all content sent to or created on the app and PIN-lock it to prevent further use.
Secure messaging solutions allow for HIPAA covered entities to keep all of the benefits of using text messaging while also aﬀording a secure environment in which PHI can be shared.