To refer to texting as a violation of HIPAA is not strictly correct. Depending on the body copy of the text message, who the text message is being shared with, or mechanisms put in place to safeguard the integrity of Protected Health Information (PHI), texting can be deemed as complying with HIPAA in some instances.
Any confusion regarding texting being in violation of HIPAA comes from the complicated language used in the Privacy and Security Rules. These rules do not refer to texting per se, but they do lay down certain stipulations that apply to electronic communications in the healthcare sector.
So, for instance, it is permissible to send messages by text provided that the body of the message does not include “personal identifiers”. It is allowable for a doctor to send text messages to a patient, provided that the message adheres with the “minimum necessary standard”. It is also allowable to send messages by text when the mechanisms are in place to comply with the technical security measures of the HIPAA Security Rule.
The Technical Security Measures of the HIPAA Security Rule
The technical security measures of the HIPAA Security Rule are the most relevant when addressing the question “When is texting in violation of HIPAA?” This part of the HIPAA Security Rule concerns access controls, audit controls, integrity controls, tactics for ID authentication, and transmission security mechanisms when PHI is being shared electronically. Among the requirements included are:
- Access to PHI must be restricted to authorized users who require the data to do their jobs.
- A system must be adapted to review the activity of authorized users when accessing PHI.
- Those with authorization to view PHI must prove their identities with a unique, centrally-issued username and PIN.
- Policies and procedures must be implemented to stop PHI from being inappropriately altered or deleted.
- Data shared outside an organization’s internal firewall should be encrypted to make it unusable if it is intercepted in on the move.
Standard “Short Message Service” (SMS) and “Instant Messaging” (IM) text messages often come up short on all these counts. Those using SMS and IM text messages have no control over the final destination of their messages. They could be shared with the wrong number, forwarded by the intended recipient or intercepted while on the move. Copies of SMS and IM messages also remain on service providers´ servers with no deletion date.
SMS or IM text messages have no message accountability as anybody could pick up someone´s mobile device and use it to send a message – or indeed edit a received message before forwarding it on. Due to this communicating PHI by standard, non-encrypted, non-monitored and non-controlled SMS or IM is in breach of HIPAA.
How This Creates an Issue for Healthcare Groups
Texting in breach of HIPAA is a major issue for healthcare groups. Over the past few years, more and more medical workers have come to rely on their personal mobile devices to support their workflows. Indeed, many healthcare groups have been keen to put in place BYOD policies because of the speed and convenience of modern technology and as a result of the cost-saving benefits.
However, with approximately 80% of medical workers now using personal mobile devices, there is a major risk of PHI being accessed by unauthorized individuals. Most messaging apps on mobile devices have no log-in or log-off requirements and, if a mobile device is lost or stolen, there is a major danger that messages including PHI could be released into the public domain.
The penalties for a breach of HIPAA can be significant. The fine for a single breach of HIPAA can be as high as $50,000 – per day the vulnerability responsible for the breach is not addressed. Healthcare groups that turn a blind eye to texting in breach of HIPAA can also face civil charges from the patients whose data has been obtained if the breach results in identity theft or other fraud.
Address Texting Problems with a Secure Messaging Solution
Secure messaging solutions resolve texting issues by keeping PHI within a private communications network that can only be accessed by authorized individuals. Access is obtained via secure messaging apps that function in the same way as commercially available messaging apps, but with security measures in place to stop an accidental or malicious disclosure of PHI.
Once signed into the app, authorized users enjoy the same speed and convenience as SMS or IM text messaging, but cannot to send messages containing PHI outside of the communications network, copy and paste encrypted data or store it on an external hard drive. Should there be a period of inactivity on the app, the user is automatically signed out.
All activity on the communications network is reviewed to ensure 100% message accountability and to stop texting in breach of HIPAA. If a mobile device onto which the secure messaging app has been installed is lost or stolen, administrators have the ability to remotely delete all content sent to or created on the app and PIN-lock it to stop further use.
