Everything You Need to Know about HIPAA Compliant Text Messaging
With all the roles and responsibilities of being a healthcare provider, it is no wonder that people are constantly looking to communicate with each other and their patients immediately through text messaging. However, unlike other industries, healthcare organizations must guarantee that all actions they take are HIPAA compliant. And due to the cost of non-compliance, a simple solution, like texting, is not always worth the potential damage that it could bring.
Can Texting be HIPAA Compliant?
To make a long answer a whole lot shorter - yes! Text messaging can be HIPAA compliant, but it can also be a violation of HIPAA, it all depends on what information is sent, what consent has been given, and what encryption is used over that information.
HIPAA is a complex and vague law that can cause a headache and still leave you asking lots of questions. One of these common questions is whether text messaging is a violation of HIPAA and its regulations. Part of this may be because texting is not directly mentioned anywhere in the hundreds of pages of the law. However, the HIPAA Security Rule does give us guidance and rules relating to electronic communications that we know apply to text messaging as well.
Risks of Texting PHI
It is a complex problem to guarantee that all protected health information that is created, stored, or shared by all covered entities and business associates is entirely secure from unauthorized access, breaches, or any other malintent. This already existent challenge is certainly amplified in the case of using text messaging in a HIPAA compliant manner, it’s possible, but it can be tough to do while keeping this information as safe as possible.
To mitigate the risks of HIPAA texting, it would be best for covered entities to partner up with a software company that offers HIPAA compliant text messaging if this is a communication method that you want to utilize. Be sure to sign a business associate agreement with this software company to ensure that you share liability for the PHI that you will both access to protect yourself in the event of a breach on their end.
HIPAA Security Rule Guidance
As mentioned above, the HIPAA Security Rule is the portion of HIPAA that specifically looks to protect electronically protected health information (ePHI) and implements technical, administrative, and physical safeguards to guarantee the confidentiality of this information. Since the entire goal of HIPAA is to protect each and every patient’s individual health information, it is obvious to see that texting presents a significant risk to this goal. However, once certain steps are taken in compliance with the Security Rule and all parties are aware of the potential risks, then texting with patients is a method that can be taken advantage of.
Key Aspects of HIPAA Compliant Texting
As mentioned many times above, texting can present unique risks to the security of PHI and therefore to the HIPAA compliant status of an organization. In order to prevent either of those things from happening - there are two key things that must happen in order for texting between patient and provider to be compliant under HIPAA.
Full Disclosure
Each individual is provided the guarantee under HIPAA that their protected health information will be kept secure and confidential. Therefore, if an organization chooses to use a method of operation where that PHI could potentially be at risk, a warning should be given and consent should be received. If a patient is made aware of the specific risks for unauthorized disclosure through communicating via texting and chooses to consent to that, then the practice and that patient may utilize that. Documentation should be made and filed away from both the warning and patient consent.
Encryption
PHI has many statuses and purposes for which it can be accessed and used across the healthcare industry and many of these present unique challenges to security. When it specifically comes to sharing PHI (even more so through texting), encryption is extremely important since it is easier for information to be intercepted while being shared. Encryption guarantees that in the event of a stolen/lost device or intercepted message then the message will be entirely unreadable to that individual. The challenge of end-to-end encryption is yet another reason that a HIPAA-compliant text messaging software may be the best solution for this question.