Is Texting in Violation of HIPAA?

by

Under certain circumstances, texting Protected Health Information (PHI) can be deemed as a violation of HIPAA. The classification as a violation is dependent upon the message’s content and the recipient. Furthermore, the effort that the sender put into maintaining the integrity of PHI is also considered. If the PHI is well-protected, then texting may be compliant with HIPAA.

The only instance in which HIPAA addresses issues of texting is in the Privacy and Security Rules. However, many critics deem these rules to be unclear, and the cause of much misunderstanding regarding what is considered a violation. These rules do not explicitly concern texting, but apply to electronic communications in the healthcare industry.

The rules deem it appropriate send messages by text with the condition that the content of the message does not include “personal identifiers”. They also allow for a doctor to send text messages to a patient, if that message complies with the “minimum necessary standard” they outline. All messages sent by text must comply with the technical safeguards of the HIPAA Security Rule to prevent a violation from occurring.

The Technical Safeguards of the HIPAA Security Rule

The technical safeguards of the HIPAA Security Rule are vital in deciding whether a text-related violation has occurred. This section of the HIPAA Security Rule concerns access controls, audit controls, integrity controls, methods for ID authentication, and transmission security mechanisms when PHI is being transmitted electronically.

The requirements outlined by these rules include:

  • Access to PHI must be limited to authorized users who require the information to do their jobs.
  • A system must be implemented to monitor the activity of authorized users when accessing PHI.
  • Those with authorization to access PHI must authenticate their identities with a unique, centrally-issued username and PIN.
  • Policies and procedures must be introduced to prevent PHI from being inappropriately altered or destroyed.
  • Data transmitted beyond an organization´s internal firewall should be encrypted to make it unusable if it is intercepted in transit.

Standard “Short Message Service” (SMS) and “Instant Messaging” (IM) text often fail to adhere to any of these guidelines. One of the many breaches regards the inability of SMS and IM text message senders to control the ultimate destination of their messages. They could be sent to the wrong number, forwarded by the intended recipient or intercepted while in transit. The fact that copies of SMS and IM messages also remain on service providers´ servers indefinitely also poses a serious security risk.

There is no message accountability with SMS or IM text messages because of the ease in which someone can use someone else’s mobile device to send or edit a message. For these reasons (and many more) communicating PHI by standard, non-encrypted, non-monitored and non-controlled SMS or IM is texting in violation of HIPAA.

Healthcare Organizations and Text Violations

Texting in violation of HIPAA has proved to be major problem for healthcare organizations in recent years due to the ubiquity of electronic messages. Indeed, many healthcare organizations have been keen to implement policies in which employees are responsible for providing their own devices, resulting in 80% of medical professionals using personal devices. This proves to be a serious security issue as PHI is at risk of being accessed by unauthorised personnel.

Most messaging apps on mobile devices have the user permanently logged in and, if a mobile device is lost or stolen, there is a significant risk that messages containing PHI could be released into the public domain.

The fines for a breach of HIPAA can be considerable. The fine for a single breach of HIPAA can be anything up to $50,000 – per day the vulnerability responsible for the breach is not attended to. Healthcare organizations that ignore violations regarding texting can also face civil charges from the patients whose data has been exposed if the breach results in identity theft or other fraud.

Secure Messaging Solutions

Secure messaging solutions resolve texting issues by encapsulating PHI within a private communications network that can only be accessed by authorized users. Access is gained via secure messaging apps that function in the same way as commercially available messaging apps. The major advantages are the security mechanisms in place to prevent an accidental or malicious disclosure of PHI.

Once logged into the app, authorized users enjoy the same speed and convenience as SMS or IM text messaging, but are unable to send messages containing PHI outside of the communications network, copy and paste encrypted data or save it to an external hard drive. Should there be a period of inactivity on the app, the user is automatically logged off.

All activity on the communications network is monitored by another party to ensure total message accountability and to prevent texting in violation of HIPAA. If a mobile device onto which the secure messaging app has been downloaded is lost or stolen, administrators can remotely wipe all content sent to or created on the app and PIN-lock it to prevent further use.