The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance
Posted By Steve Alder on Dec 13, 2023
Text messaging is not HIPAA compliant, and unencrypted SMS messages should not be used for communicating ePHI unless a patient has initiated contact by SMS or requested provider-patient communications by text message – in which case healthcare providers can use text messaging provided reasonable safeguards are applied. Given its ease of use, many healthcare organizations and professionals may wonder is text messaging HIPAA compliant. The answer is generally “no,” but there are exceptions.
Although there are circumstances in which SMS text messaging can be HIPAA compliant, they are few and far between – making it safer for covered entities to prohibit texting electronic Protected Health Information (ePHI) rather than risk a penalty for violating HIPAA. While HIPAA does not prohibit sending PHI by text, for texting to be HIPAA compliant, safeguards must be in place to verify the identity of the recipient, warn the recipient of the risks of sending ePHI by text, and document the recipient acknowledges the risks but wants to continue regardless
There are many reasons why it’s safer for covered entities to prohibit texting PHI rather than allow it. These include – but are not limited to – the lack of access controls, the lack of audit controls, and the lack of encryption. Although encryption is an “addressable” requirement of the HIPAA Security Rule, it’s the only feasible way to ensure the security of ePHI in transit.
Looking at these reasons for noncompliance in more depth, with regards to access controls, anybody can pick up an unattended mobile device and read the messages on it. Mobile devices can be lost or stolen – which not only potentially exposes ePHI to unauthorized access, but the information in the messages can be used to commit insurance fraud or identity theft.
Rectangle Health’s Patient Engagement Software Is Used By 1,000s Of Healthcare Providers & Easily Integrates With All Existing Practise Management Systems
Your Privacy Respected
HIPAA Journal Privacy Policy
This is why the HIPAA rules for text messaging – or any other form of electronic communication – stipulate that audit controls are necessary to record when ePHI is created, modified, accessed, shared, or deleted. It´s simply not possible to implement audit trails for HIPAA compliant text messaging because the technology doesn´t exist that can audit every possible operating system.
Even if there were a way to overcome the HIPAA texting rules for access controls and audit controls, that would not make text messaging HIPAA compliant. There also has to be a way to prevent the interception of plain text messages – or extraction of plain text messages from carriers´ servers – which is why the encryption of ePHI in transit is strongly recommended.
There are circumstances in which SMS text messaging can be HIPAA compliant. The most common circumstance concerns texting with patients. Texting ePHI to patients is allowed by HIPAA when a patient has initiated contact by SMS or requested provider-patient communications by text message. In this circumstance, the covered entity must warn the patient that the risk of unauthorized disclosure exists and obtain the patient´s consent to communicate by text. Both the warning and the consent must be documented.
Other circumstances in which text messaging is HIPAA compliant include employers who provide onsite clinics as an employee health benefit, who provide self-insured health plans for employees, or who act as an intermediary between employees, healthcare providers, and health plans. This is a particularly complex area of HIPAA compliant texting, so we have compiled a separate page to explain the HIPAA texting rules in these circumstances.
It can also be the case that the U.S. Department of Health and Human Services waives the HIPAA rules for text messaging after a natural disaster such as an earthquake or hurricane. In these circumstances, some, but not all, rules related to texting patient data may be waived, and “enforcement discretion” may be applied for a fixed time period only or apply to covered entities of a certain nature (i.e. healthcare providers) within a geographical location. Waivers are never comprehensive.
One final circumstance in which text messaging is HIPAA compliant is when the covered entity has implemented a solution such as a HIPAA compliant messaging app that has the necessary controls and encryption to support HIPAA compliant texting. Even when these apps are used, it is still necessary to comply with the Minimum Necessary Standard and the physical, technical, and administrative safeguards of the HIPAA Security Rule.
HIPAA compliant text messaging apps have become to go-to solution for resolving the question of “is text messaging HIPAA compliant?” The messaging apps work in much the same way as commercial apps such as WhatsApp, Facebook Messenger, and Skype – so users are familiar with how they work – but they operate within a secure, encrypted network with access controls and audit controls to satisfy the requirements of the HIPAA Security Rule.
The latest generation of HIPAA compliant text messaging apps do more than support HIPAA compliant texting. They enable HIPAA compliant voice and video calls, allow groups to collaborate remotely in a secure environment, and facilitate the sharing of files and images with other authorized users. When integrated with EMR systems, patient information can be sent directly from the text messaging app to the EMR system – saving users valuable time.
With regards to the security and integrity of ePHI, all communications are archived on a private cloud and logically separated from other data. Via user-friendly admin control panels, covered entities can apply granular role-based permissions and apply messaging policies. The platforms can also be used to remotely retract and delete messages if a mobile device is lost or stolen, PIN-lock apps installed on mobile devices, and extract audit reports.
Indeed, the advanced reporting capabilities of latest-generation secure messaging systems can provide valuable insights for covered entities. The systems often include powerful analytics packages that give covered entities insights into how different teams are communicating with each other and with different departments. These insights allow covered entities to make data-driven decisions to further optimize HIPAA compliant communication policies and workflows.
Text messaging is not HIPAA compliant when ePHI is communicated via SMS messaging for a reason not explained above. This is because SMS messaging lacks the necessary Security Rule safeguards plus copies of SMS messages can remain on carriers’ servers indefinitely. Effectively covered entities have no control over how ePHI is further used or disclosed once a text message containing ePHI is sent.
It is safer for covered entities to prohibit texting ePHI due to the lack of access controls, audit controls and encryption. If patients request to be contacted by text, covered entities should implement a secure messaging solution or adapt an existing communication channel so that ePHI can be communicated with patients without security risks.
Audit controls are necessary for electronic communications of ePHI because it is necessary to ensure that only authorized members of the workforce access ePHI, that they only transmit the minimum necessary ePHI (where applicable), and that – if modifications are made to ePHI or ePHI is deleted – covered entities can establish who modified or deleted the information.
Text messaging can become HIPAA compliant if the text messaging capabilities of a communications platform are configured to comply with the administrative, physical, and technology safeguards of the Security Rule. Covered entities adopting or integrating a secure text messaging capability into an existing communications platform will need to enter into a Business Associate Agreement with the software vendor (if a different vendor from an existing Agreement) and train authorized users on how to use the capability in compliance with HIPAA.
HIPAA compliant text messaging apps are apps similar to common messaging apps like WhatsApp or Skype that have the required controls to comply with the HIPAA Security Rule. This not only means end-to-end encryption (which both WhatsApp and Skype have), but also event logs and audit controls to determine when ePHI is accessed, who accesses it, and what they do with it.
The U.S. Department of Health and Human Services can waive the HIPAA rules for text messaging following a natural disaster such as a hurricane or wildfires, or during a public health emergency – such as during the recent COVID-19 pandemic. When these events occur, some – but not all – rules relating to the communication of patient data can be waived. It is important for covered entities to be aware of which rules have been waived and the circumstances for which texting ePHI is allowed.
Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com
Rectangle Health’s Patient Engagement Software Is Used By 1,000s Of Healthcare Providers & Easily Integrates With All Existing Practise Management Systems
Your Privacy Respected
HIPAA Journal Privacy Policy
Rectangle Health’s Patient Engagement Software Is Used By 1,000s Of Healthcare Providers & Easily Integrates With All Existing Practise Management Systems
Your Privacy Respected
HIPAA Journal Privacy Policy
HIPAA Journal provides the most comprehensive coverage of HIPAA news anywhere online, in addition to independent advice about HIPAA compliance and the best practices to adopt to avoid data breaches, HIPAA violations and regulatory fines. HIPAA Journal's goal is to assist HIPAA-covered entities achieve and maintain compliance with state and federal regulations governing the use, storage and disclosure of PHI and PII.
Receive weekly HIPAA news directly via email
HIPAA News
Regulatory Changes
Breach News
HITECH News
HIPAA Advice
Email Never Shared
Cancel Any Time
Privacy Policy
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Newsletter Subscription
Copyright © 2014-2024 The HIPAA Journal. All rights reserved.
Wait… Don’t Leave Empty-Handed!
Get the FREE
HIPAA Compliance
Checklist
The best resource to view
your compliance requirements
and avoid HIPAA violations.
Wait… Don’t Leave
Empty-Handed!
Get the FREE
HIPAA Compliance Checklist
View your compliance requirements and avoid HIPAA violations
Delivered via email so please ensure you enter your email address correctly.
Your Privacy Respected
HIPAA Journal Privacy Policy
For Individuals
Show Your Employer You Have Completed The Best HIPAA Compliance Training Available With ComplianceJunction’s Certificate Of Completion
Your Privacy Respected
HIPAA Journal Privacy Policy
Delivered via email so please ensure you enter your email address correctly.
Your Privacy Respected
HIPAA Journal Privacy Policy
Please enter correct email address
Your Privacy Respected
HIPAA Journal Privacy Policy
You will be contacted by our page sponsor Rectangle Health
Your Privacy Respected
HIPAA Journal Privacy Policy
Is Your Organization HIPAA Compliant?
Find Out With Our Free HIPAA Compliance Checklist
source
Posted By Steve Alder on Dec 13, 2023
Text messaging is not HIPAA compliant, and unencrypted SMS messages should not be used for communicating ePHI unless a patient has initiated contact by SMS or requested provider-patient communications by text message – in which case healthcare providers can use text messaging provided reasonable safeguards are applied. Given its ease of use, many healthcare organizations and professionals may wonder is text messaging HIPAA compliant. The answer is generally “no,” but there are exceptions.
Although there are circumstances in which SMS text messaging can be HIPAA compliant, they are few and far between – making it safer for covered entities to prohibit texting electronic Protected Health Information (ePHI) rather than risk a penalty for violating HIPAA. While HIPAA does not prohibit sending PHI by text, for texting to be HIPAA compliant, safeguards must be in place to verify the identity of the recipient, warn the recipient of the risks of sending ePHI by text, and document the recipient acknowledges the risks but wants to continue regardless
There are many reasons why it’s safer for covered entities to prohibit texting PHI rather than allow it. These include – but are not limited to – the lack of access controls, the lack of audit controls, and the lack of encryption. Although encryption is an “addressable” requirement of the HIPAA Security Rule, it’s the only feasible way to ensure the security of ePHI in transit.
Looking at these reasons for noncompliance in more depth, with regards to access controls, anybody can pick up an unattended mobile device and read the messages on it. Mobile devices can be lost or stolen – which not only potentially exposes ePHI to unauthorized access, but the information in the messages can be used to commit insurance fraud or identity theft.
Rectangle Health’s Patient Engagement Software Is Used By 1,000s Of Healthcare Providers & Easily Integrates With All Existing Practise Management Systems
Your Privacy Respected
HIPAA Journal Privacy Policy
This is why the HIPAA rules for text messaging – or any other form of electronic communication – stipulate that audit controls are necessary to record when ePHI is created, modified, accessed, shared, or deleted. It´s simply not possible to implement audit trails for HIPAA compliant text messaging because the technology doesn´t exist that can audit every possible operating system.
Even if there were a way to overcome the HIPAA texting rules for access controls and audit controls, that would not make text messaging HIPAA compliant. There also has to be a way to prevent the interception of plain text messages – or extraction of plain text messages from carriers´ servers – which is why the encryption of ePHI in transit is strongly recommended.
There are circumstances in which SMS text messaging can be HIPAA compliant. The most common circumstance concerns texting with patients. Texting ePHI to patients is allowed by HIPAA when a patient has initiated contact by SMS or requested provider-patient communications by text message. In this circumstance, the covered entity must warn the patient that the risk of unauthorized disclosure exists and obtain the patient´s consent to communicate by text. Both the warning and the consent must be documented.
Other circumstances in which text messaging is HIPAA compliant include employers who provide onsite clinics as an employee health benefit, who provide self-insured health plans for employees, or who act as an intermediary between employees, healthcare providers, and health plans. This is a particularly complex area of HIPAA compliant texting, so we have compiled a separate page to explain the HIPAA texting rules in these circumstances.
It can also be the case that the U.S. Department of Health and Human Services waives the HIPAA rules for text messaging after a natural disaster such as an earthquake or hurricane. In these circumstances, some, but not all, rules related to texting patient data may be waived, and “enforcement discretion” may be applied for a fixed time period only or apply to covered entities of a certain nature (i.e. healthcare providers) within a geographical location. Waivers are never comprehensive.
One final circumstance in which text messaging is HIPAA compliant is when the covered entity has implemented a solution such as a HIPAA compliant messaging app that has the necessary controls and encryption to support HIPAA compliant texting. Even when these apps are used, it is still necessary to comply with the Minimum Necessary Standard and the physical, technical, and administrative safeguards of the HIPAA Security Rule.
HIPAA compliant text messaging apps have become to go-to solution for resolving the question of “is text messaging HIPAA compliant?” The messaging apps work in much the same way as commercial apps such as WhatsApp, Facebook Messenger, and Skype – so users are familiar with how they work – but they operate within a secure, encrypted network with access controls and audit controls to satisfy the requirements of the HIPAA Security Rule.
The latest generation of HIPAA compliant text messaging apps do more than support HIPAA compliant texting. They enable HIPAA compliant voice and video calls, allow groups to collaborate remotely in a secure environment, and facilitate the sharing of files and images with other authorized users. When integrated with EMR systems, patient information can be sent directly from the text messaging app to the EMR system – saving users valuable time.
With regards to the security and integrity of ePHI, all communications are archived on a private cloud and logically separated from other data. Via user-friendly admin control panels, covered entities can apply granular role-based permissions and apply messaging policies. The platforms can also be used to remotely retract and delete messages if a mobile device is lost or stolen, PIN-lock apps installed on mobile devices, and extract audit reports.
Indeed, the advanced reporting capabilities of latest-generation secure messaging systems can provide valuable insights for covered entities. The systems often include powerful analytics packages that give covered entities insights into how different teams are communicating with each other and with different departments. These insights allow covered entities to make data-driven decisions to further optimize HIPAA compliant communication policies and workflows.
Text messaging is not HIPAA compliant when ePHI is communicated via SMS messaging for a reason not explained above. This is because SMS messaging lacks the necessary Security Rule safeguards plus copies of SMS messages can remain on carriers’ servers indefinitely. Effectively covered entities have no control over how ePHI is further used or disclosed once a text message containing ePHI is sent.
It is safer for covered entities to prohibit texting ePHI due to the lack of access controls, audit controls and encryption. If patients request to be contacted by text, covered entities should implement a secure messaging solution or adapt an existing communication channel so that ePHI can be communicated with patients without security risks.
Audit controls are necessary for electronic communications of ePHI because it is necessary to ensure that only authorized members of the workforce access ePHI, that they only transmit the minimum necessary ePHI (where applicable), and that – if modifications are made to ePHI or ePHI is deleted – covered entities can establish who modified or deleted the information.
Text messaging can become HIPAA compliant if the text messaging capabilities of a communications platform are configured to comply with the administrative, physical, and technology safeguards of the Security Rule. Covered entities adopting or integrating a secure text messaging capability into an existing communications platform will need to enter into a Business Associate Agreement with the software vendor (if a different vendor from an existing Agreement) and train authorized users on how to use the capability in compliance with HIPAA.
HIPAA compliant text messaging apps are apps similar to common messaging apps like WhatsApp or Skype that have the required controls to comply with the HIPAA Security Rule. This not only means end-to-end encryption (which both WhatsApp and Skype have), but also event logs and audit controls to determine when ePHI is accessed, who accesses it, and what they do with it.
The U.S. Department of Health and Human Services can waive the HIPAA rules for text messaging following a natural disaster such as a hurricane or wildfires, or during a public health emergency – such as during the recent COVID-19 pandemic. When these events occur, some – but not all – rules relating to the communication of patient data can be waived. It is important for covered entities to be aware of which rules have been waived and the circumstances for which texting ePHI is allowed.
Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com
Rectangle Health’s Patient Engagement Software Is Used By 1,000s Of Healthcare Providers & Easily Integrates With All Existing Practise Management Systems
Your Privacy Respected
HIPAA Journal Privacy Policy
Rectangle Health’s Patient Engagement Software Is Used By 1,000s Of Healthcare Providers & Easily Integrates With All Existing Practise Management Systems
Your Privacy Respected
HIPAA Journal Privacy Policy
HIPAA Journal provides the most comprehensive coverage of HIPAA news anywhere online, in addition to independent advice about HIPAA compliance and the best practices to adopt to avoid data breaches, HIPAA violations and regulatory fines. HIPAA Journal's goal is to assist HIPAA-covered entities achieve and maintain compliance with state and federal regulations governing the use, storage and disclosure of PHI and PII.
Receive weekly HIPAA news directly via email
HIPAA News
Regulatory Changes
Breach News
HITECH News
HIPAA Advice
Email Never Shared
Cancel Any Time
Privacy Policy
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Newsletter Subscription
Copyright © 2014-2024 The HIPAA Journal. All rights reserved.
Wait… Don’t Leave Empty-Handed!
Get the FREE
HIPAA Compliance
Checklist
The best resource to view
your compliance requirements
and avoid HIPAA violations.
Wait… Don’t Leave
Empty-Handed!
Get the FREE
HIPAA Compliance Checklist
View your compliance requirements and avoid HIPAA violations
Delivered via email so please ensure you enter your email address correctly.
Your Privacy Respected
HIPAA Journal Privacy Policy
For Individuals
Show Your Employer You Have Completed The Best HIPAA Compliance Training Available With ComplianceJunction’s Certificate Of Completion
Your Privacy Respected
HIPAA Journal Privacy Policy
Delivered via email so please ensure you enter your email address correctly.
Your Privacy Respected
HIPAA Journal Privacy Policy
Please enter correct email address
Your Privacy Respected
HIPAA Journal Privacy Policy
You will be contacted by our page sponsor Rectangle Health
Your Privacy Respected
HIPAA Journal Privacy Policy
Is Your Organization HIPAA Compliant?
Find Out With Our Free HIPAA Compliance Checklist
source