HIPAA Compliant Text Messaging is a question that requires deep investigation. Nowadays, during the Covid-19 pandemia, people are constantly looking to communicate with each other and their doctors remotely. To make it happen, they are actively using text messaging. However, unlike friendly communication between friends and family, healthcare organizations must guarantee that all actions they take are HIPAA compliant. And such a simple solution, like texting, is not always worth the potential damage that it could bring to healthcare companies.
So can messaging be HIPAA Compliant?
The answer is 50/50. Let’s look at this question in more detail.
Text messaging can be HIPAA compliant, but it can also be a violation of HIPAA, it all depends on what information is sent, what consent has been given, and what encryption is used over that information. HIPAA rules for text messaging – or any other form of electronic communication – stipulate that audit controls are necessary to record when PHI is created, modified, accessed, shared, or deleted. It´s simply not possible to implement audit trails for HIPAA compliant text messaging because the technology doesn´t exist that can audit every possible operating system. Even if there were a way to overcome the HIPAA texting rules for access controls and audit controls, that would not make text messaging 100% HIPAA compliant. There also has to be a way to prevent the interception of plain text messages – or extraction of plain text messages from carriers´ servers – which is why the encryption of PHI in transit is strongly recommended.
What you need to pay attention to make sure texting in your company is HIPAA Compliant
As we’ve explained above, texting can present unique risks to the security of PHI and therefore to the HIPAA-compliant status of an organization. In order to prevent either of those things from happening – there are two key things that must happen in order for texting between patient and provider to be compliant under HIPAA.
Full Disclosure
Each person is provided the guarantee under HIPAA that their protected health information will be kept secure and confidential. Therefore, if an organization chooses to use a method of operation where that PHI could potentially be at risk, there should be a warning given and consent should be received. If a patient is made aware of the specific risks for unauthorized disclosure through communicating via texting and chooses to consent to that, then the practice and that patient may utilize that. Documentation should be made and filed away from both the warning and patient consent.
Encryption
PHI has many statuses and purposes for which it can be accessed and used across the healthcare industry and many of these present unique challenges to security. When it specifically comes to sharing PHI (even more so through texting), encryption is extremely important since it is easier for information to be intercepted while being shared. Encryption guarantees that in the event of a stolen/lost device or intercepted message then the message will be entirely unreadable to that individual. The challenge of end-to-end encryption is yet another reason that a HIPAA-compliant text messaging software may be the best solution for this question.
Why providing the proof of identity matters
In compliance with HIPAA, all users who access PHI must be able to prove that they are who they say they are by authenticating their identity. A secure text messaging software can comply with this rule by requiring users to log in with something unique to them. A user is authenticated when the unique credentials match what is stored in the system. Methods of authentication in compliance with HIPAA may include a:
- Password or pin
- Smart card, key, or token
- Biometric identifiers, such as a fingerprint, facial recognition, or voice pattern
For healthcare professionals who are sending and receiving HIPAA compliant text messages from their mobile devices, they must use some sort of credential to authenticate that they are who they say they are.
Conclusion
When communicating patient information via secure text messaging on personal mobile devices, following HIPAA guidelines is imperative to prevent security breaches. By complying with HIPAA rules, healthcare organizations and professionals can ensure the safety and security of their practice, while offering patients the convenience of seamless communication with their providers.
