What is HIPAA compliant text messaging?

Since its implementation two decades ago, there has been much ambiguity in whether the use of SMS is HIPAA compliant. HIPAA does not explicitly prohibit communicating Protected Health Information (PHI) by text, a system of administrative, physical and technical safeguards must be implemented to ensure the confidentiality and integrity of PHI when it is “in transit” – i.e. being communicated between medical professionals or covered entities. The failure to use such safeguards is likely to constitute a HIPAA violation.

Normal SMS messages lack encryption, and are therefore deemed unsecure ways of transmitting patient data. As there are no safeguards to prevent a text message being sent to a wrong number, and text messages sent in plain text can be intercepted, there is considerable potential for data breaches. Furthermore, mobile devices containing PHI are frequently lost or stolen, which potentially leads to exposing PHI to unauthorized access if data on the devices is read. Also, as text messages are stored indefinitely on service providers´ servers, the CE has no control over who may access this data.

If a CE does not implement the appropriate precautions to ensure the confidentiality and integrity of PHI in transit, they are in clear violation of HIPAA and are liable to pay a hefty fine. In serious incidents, they may also be prosecuted in court if a serious breach occurs and they were particularly lax with their safeguards.

HIPAA Compliant Messaging

There are now many text messaging platforms in use such as Facebook Messenger, Skype, and WhatsApp, alongside the traditional SMS. WhatsApp has acted to ensure that all messages sent using its servers are encrypted, which satisfies certain HIPAA compliant messaging requirements. However, unless further action is taken by the CE, using WhatsApp may still result in a HIPAA violation.

When using WhatsApp, messages are encrypted on the sender’s phone and remain encrypted until they arrive at the receiver’s device. The messages are sent through a secure, encrypted tunnel, satisfying HIPAA encryption requirements for data in transit. However, ePHI sent via WhatsApp is not stored in a secure manner on the device itself and the access controls used are not up to the standards required by HIPAA.

For example, if you were to lose your phone, unless other security controls have been applied to the device, an unauthorized individual would be able to access your messages, and any ePHI in your WhatsApp account, as the app itself does not require access to be authorised on the device. HIPAA compliant messaging is not only about encrypting data in transit. There must be appropriate access controls, audit controls, and secure storage for messages containing ePHI.

The Integrity of PHI in Transit

Many CEs have turned to implementing a secure messaging system on their employees’ devices. Secure messaging works in a similar way to text messaging as they use a similar interface. Users can add an attachment and send it to a colleague, and there are message receipts for when messages are read and received.  As security mechanisms are in place in secure messaging system, they provide the necessary safeguards to ensure the integrity of PHI in transit. Therefore, they provide a facile way for CEs to remain HIPAA compliant while transmitting ePHI.

On secure messaging systems, messages are encrypted, and they can only be sent to colleagues within a covered entity´s communications network. Furthermore, the messages are archived on a separate, secure server and administrative controls enable the remote retraction and deletion of messages if a mobile device is lost or stolen. Due to the ID authentication process, administrators can also PIN-lock apps installed on a mobile device to prevent unauthorised access.

Other mechanisms exist to assign message lifespans to communications sent through a secure messaging solution. Unlike traditional messaging apps, users are automatically logged out of their secure messaging apps after a period of inactivity to prevent authorized access to PHI. All user activity is monitored and logged to oversee how users are communicating PHI in text messages and to ensure that secure messaging policies are being adhered to.

The Benefits of HIPAA Compliant Text Messaging

In addition to ensuring the integrity of PHI in transit, there are significant benefits associated with implementing a secure messaging solution. The monitoring of user activity plus features such as delivery notifications and read receipts ensure message accountability. This in turn reduces phone tag and accelerates the communication cycle.

Aside from maintaining the integrity of ePHI, secure messaging solutions are widely seen to have many advantages. One of the primary benefits they offer is the massive increase in workplace efficiency. Medical professionals in the community can send and receive ePHI on-the-go using secure messaging, instead of having to wait to be at a desktop to log into a secure network. Images can be attached to secure messages, which can then be shared to accelerate diagnoses and the administration of treatment. Secure messaging also offers the potential to accelerate emergency admissions and patient discharges. Many healthcare institutes often struggle with patient waiting times, but increasing the efficiency in which patients are discharged offers the potential to reducing wait times and streamlining the administrative process.

Further Advice

If you have any queries over whether your workplace is using HIPAA compliant messaging systems, it is recommended that you seek further information about the administrative, physical and technical safeguards that must be in place to ensure the integrity of PHI in transit from legal professionals.