The HIPAA regulations for SMS do not specifically rule out the implementation of a “Short Message Service” to share Protected Health Information (PHI), but they do stata that specific conditions have to be in place before using SMS to communicate PHI is HIPAA compliant.
The majority of SMS messages are not HIPAA compliant. This is due to the fact that they are not encrypted, cannot be recalled if sent to the incorrect and can be intercepted on public Wi-Fi networks. Although tools are available to resolve these issues with SMS messages, they are rarely used.
There are other issues exist related to SMS messages being unaccountable and because copies remain on the servers of service providers indefinitely. The only solution to these issues is to exclude any PHI from messages sent via SMS. Crucially, the HIPAA regulations for SMS also apply to Instant Messaging services such as WhatsApp and iMessage, and to emails.
Most HIPAA regulations for SMS, IM and email are included in the technical safeguards of the HIPAA Security Rule. These safeguards state that the introduction of access controls, audit controls, integrity controls, ID authentication, and transmission security to eliminate unauthorized access to PHI. Among the required security measures are:
- All authorized users must be assigned a unique login username and PIN number for whatever mechanism is being used to send and receive PHI. This is so all communications including PHI can being monitored and recorded.
- Any mechanism used to share PHI must have an automatic logoff feature. This measure is required to eliminate unauthorized access to PHI if a desktop computer or mobile device is left unattended.
- PHI must be encrypted on the move so that, in the event a message is intercepted on a public Wi-Fi network, the body of any message – and any PHI shared as an attachment – is “unreadable, undecipherable and unusable”.
These three security steps by themselves make it difficult for HIPAA covered entities to adhere with the HIPAA regulations for SMS, IM and email. It is not difficult to set up a channel of communication that requires users to log in, but to record all their online activity and have them log off when they are finished is much more difficult.
The issue of encryption is also troublesome. Any encryption solution used to securely communicate PHI between healthcare organizations, medical staff, Business Associates and other covered entities would have to work across multiple operating systems and devices – and have a uniform decryption key. It was for this reason that an exemption was made for the electronic communication of PHI between medical workers and their patients.
The HIPAA regulations for SMS, IM and email are extremely complicated, and may apply to covered entities differently depending on their size, the manner of service they provide and the volume of PHI they communicate. However, there is a solution that gets around the HIPAA regulations for SMS, IM and email regardless of an group’s operating structure – secure messaging.
Secure messaging operates in much the same fashion as SMS or IM. Secure messaging apps can be used to send and receive encrypted text messages, share pictures and conduct group discussions. The apps work across all operating systems and devices, but only once a user has authenticated their ID with a centrally-issued username and PIN number.
Security measures are in place not only to eliminate unauthorized access to PHI when a desktop computer or mobile device is left unattended, but also to stop the copying and pasting of PHI, the saving of PHI to an external hard drive, or the sending of PHI to a third party outside the group’s network of authorized users.
All activity on the network is recorded and further security measures in addition to automatic logoff exist to protect the integrity of PHI. For instance, if an authorized user´s mobile device is lost or stolen, controls on the secure messaging platform enable administrators to remotely delete any communication that included the PHI and lock the secure messaging app.
By adhering with the HIPAA rules for SMS, IM and email by implementing a secure messaging solution there are significant business advantages – especially for healthcare organizations. Being able to send and receive PHI “on the go” reduces the time spent on-call doctors and community nurses play phone tag. Group messaging features speed up the communications cycle and can reduce the length of time it takes to complete hospital admissions and patient discharges.
When linked to an EMR, a secure messaging solution can be used to share the task of updating patient’s notes – giving physicians with more time to treat their patients.