HIPAA compliant text messaging is the use of a texting method that allows a HIPAA Covered Entity or Business Associate to send and receive messages that include protected health information while meeting HIPAA Privacy Rule use and disclosure limits, applying HIPAA Minimum Necessary Rule controls when applicable, and implementing HIPAA Security Rule administrative, physical, and technical safeguards such as access controls, audit controls, integrity controls, person or entity authentication, and transmission security, with a Business Associate Agreement in place when a messaging vendor handles protected health information on the organization’s behalf.
Standard SMS and consumer messaging apps typically do not provide the administrative control, auditing, and security features required to support HIPAA Security Rule safeguards for electronic protected health information. A compliant approach uses an approved secure messaging application or platform that supports encryption or an equivalent documented safeguard for transmission security, enforces authenticated access, and limits message access to authorized users.
HIPAA Privacy Rule requirements apply to the content and recipients of messages. Text messages that contain protected health information are permitted for treatment, payment, and healthcare operations when the disclosure is permitted and the organization applies reasonable safeguards to reduce the risk of incidental disclosure. Policies should restrict protected health information in messages to the minimum amount needed for the permitted purpose when the HIPAA Minimum Necessary Rule applies, and should prohibit texting protected health information to a recipient that cannot be verified.
Vendor and contracting controls determine whether a messaging service can be used with protected health information. If a third party provides the texting platform and creates, receives, maintains, or transmits protected health information for the organization, the vendor functions as a business associate and a Business Associate Agreement is required before use. The agreement and implementation should address breach reporting, permitted uses and disclosures, and safeguard responsibilities.
Operational controls should address workforce behavior and device security. Procedures should require user enrollment, role-based access, automatic locking, secure device configuration, and remote wipe capability for lost or stolen devices when messages can be accessed on mobile devices. Audit logs should be retained in a manner that supports monitoring, investigation, and sanction policies. Message retention and integration into the designated record set should be defined when texts contain information that needs to be maintained as part of the medical or billing record.
Patient communications by text should follow a documented process that addresses the requested communication channel, the risks of unsecure transmission when applicable, and verification of the patient’s contact information before sending protected health information.