As methods of communication evolve and it becomes more acceptable to use channels that were previously thought of as less formal for more important and official exchanges of information, organizations are looking towards integrating text messaging into their range of communication channels and asking whether texting is against the Health Insurance Portability and Accountability Act’s (HIPAA) rules.
For the purpose of this article, we will define text messaging as meaning standard SMS – Short Message Service – communications. This is the more colloquial use of the term. While an email is in effect a message made of text, we will not be discussing the applicability of HIPAA to emails in this piece.
HIPAA and SMS
HIPAA does not necessarily prohibit or forbid the use of SMS messages in the transmission of Protected Health Information (PHI) but there are a number of conditions that should be in place in order to ensure that the use of this communication method complies with all of the necessary HIPAA standards.
The regular mobile telephone to mobile telephone SMS text message that is sent across a mobile provider’s network is generally not considered to be HIPAA compliant. This is down to many reasons, including because mobile carriers often have systems that record or otherwise store the messages. Another reason that disqualifies more basic text messaging services is the lack of encryption. This means that messages could potentially be intercepted and PHI accessed by unauthorized individual or parties.
As well as these areas, SMS text messages are lacking in a number of aspects explained in HIPAA’s Security Rule. HIPAA requires a method of tracking information, its chain of custody, and access control. The necessary systems to capture this information, as well as to recall messages sent in error to unintended recipients, are not available with SMS standard messages.
Security Rule Requirements
The HIPAA Security Rule requires a number of features to be in place for communications to be thought of as HIPAA compliant:
A robust access control system that limits access only to authorized users and which creates and tracks activity logs.
Once users have logged in or authorized themselves on the system, a session timer must be in place to automatically end the session and prevent access or transfer of data should there be a prolonged period of inactivity. This can help keep PHI away from unauthorized parties.
Information transferred via a HIPAA compliant system should be encrypted to render it “unreadable, undecipherable and unusable” to any unauthorized entity that may intercept it.
As well as rules regarding the systems that should be in place to handle some of the technological security aspects, mobile devices themselves present a number of issues, the potential for theft not being least among them. Should a device with access to PHI, or that stores PHI, be lost or stolen, there must be systems in place to remotely erase the data or block or suspend any further access to PHI from that device.
Secure SMS options are becoming more and more common. These integrate the required features we have mentioned above. Coupled with a robust Texting Policy, it may be possible for text messages to be used in a HIPAA complaint fashion. Any such policy should be researched in depth and regularly reviewed for compliance and implementation.