Is SMS Texting a Violation of HIPAA Rules?

Yes, SMS texting can potentially be a violation of HIPAA rules if it involves the transmission of protected health information (PHI) without proper safeguards in place. HIPAA regulations require healthcare organizations and their employees to implement appropriate measures to protect the privacy and security of patient information. While SMS texting itself is not prohibited under HIPAA, the content of the messages and how they are handled determine whether a violation occurs.

The key factors in determining if SMS texting is a HIPAA violation are:

  • SMS texting can potentially violate HIPAA rules if it involves the transmission of protected health information (PHI) without proper safeguards.
  • HIPAA regulations require healthcare organizations to protect the privacy and security of patient information.
  • Standard SMS texting is generally not considered secure enough to meet HIPAA requirements.
  • To comply with HIPAA, healthcare organizations should implement secure messaging platforms or encrypted communication systems.
  • Secure messaging platforms provide features such as end-to-end encryption, message expiration, authentication mechanisms, and audit logs.
  • Using secure messaging platforms helps mitigate the risks associated with SMS texting and reduces the likelihood of HIPAA violations.
  • Healthcare professionals should be aware of their organization’s policies and procedures regarding communication methods and PHI transmission.
  • Training on HIPAA regulations is essential for healthcare professionals to understand the appropriate use of communication channels.
  • Regular audits and assessments can help identify and address any areas of non-compliance.
  • By adopting secure messaging solutions and following HIPAA guidelines, healthcare organizations can prioritize patient privacy and protect sensitive information.
  • It is important for healthcare professionals to prioritize patient confidentiality and ensure the privacy and security of patient data in their communications.
  • Adhering to HIPAA regulations and utilizing secure communication channels is crucial for preventing HIPAA violations related to SMS texting.

Is SMS Texting a Violation of HIPAA?

Many healthcare organizations are confused about the use of text messages and whether SMS texting is a violation of HIPAA Rules. Part of the reason for the confusion is there is no specific mention of SMS text messages in HIPAA. However, HIPAA Rules do cover electronic communications, and therefore these rules apply to SMS messages.

As for whether SMS texting is a violation of HIPAA Rules, that would depend on the content of the messages, to whom the messages are sent, and – in the case of texting patients – whether consent has been obtained to send information via an SMS network.

There is nothing wrong per se with physicians using text messages to communicate with other healthcare professionals and care teams. Texting is a quick and easy form of sending short messages. Texting doesn’t rely on the recipient of the message being available at the time the message is sent. The message will be waiting for them when they become available.

However, SMS texting is a violation of HIPAA Rules if the text messages contain any protected health information for which a patient had not given their consent. If personal identifiers are included in the messages without permission of the patient, along with any data that falls under the classification of PHI in HIPAA Rules, physicians will likely be violating HIPAA.

THE HIPAA Security Rule and SMS Messages

The HIPAA Security Rule requires covered entities to implement technical controls to ensure the confidentiality, integrity, and availability of PHI. These technical controls apply to any form of communicating PHI and are therefore relevant to SMS messages.

Technical controls include access controls that prevent PHI from being viewed by unauthorized individuals; audit controls to ensure covered entities and regulators can check to see PHI is being communicated compliantly; integrity controls to ensure PHI has not been tampered with or altered; and controls to ensure PHI cannot be intercepted in transit.

In the case of SMS messages, access controls are insufficient. If the sender or receive of an SMS message loses their device, the messages could be accessed by an unauthorized individual. There is also no guarantee that the message will be received by the intended recipient and there is no system in place that can confirm the identity of the sender or receiver of a message. It is also easy to accidentally send a message to the wrong person and messages cannot be recalled.

When PHI is transmitted outside of an organization’s area of control – beyond a firewall for instance – PHI must be protected to prevent accidental disclosure. This typically means PHI must be encrypted to NIST standards. SMS, and many forms of instant messaging (IM), lack encryption.

So, is SMS texting a violation of HIPAA if PHI is included in the message? Generally Yes. The same applies to most forms of instant messaging.

Healthcare Organizations that Fail to Address Texting of PHI Could Receive a HIPAA Violation Penalty

SMS texting is a violation of HIPAA Rules and many healthcare organizations are allowing HIPAA Rules to be violated. The majority of healthcare professionals carry mobile phones and most send text messages. An estimated 80% of healthcare professionals use personal mobile devices, many of whom have sent or received PHI on those devices even though by doing so they are violating HIPAA Rules.

The penalties for HIPAA violations are severe. Willful violation of HIPAA Rules can attract a penalty of $50,000 per violation per day, up to a maximum fine of $1.5 million per calendar year. Ignorance of HIPAA Rules in relation to texting is not an excuse that regulators will accept.

Can Healthcare Organizations Use Texting to Communicate PHI and Avoid a HIPAA Violation?

Fortunately, healthcare organizations can take advantage of the benefits of text messages and avoid a HIPAA violation. Secure text messaging solutions have been developed by a number of solution providers. Those solutions incorporate all of the necessary controls to ensure ePHI cannot be intercepted or accessed by unauthorized individuals.

A HIPAA-compliant text messaging solution incorporates access controls to ensure only the intended recipient can access a message. Users are required to login to the system to access messages and they are automatically logged off following a period of inactivity. All users of the platform are in an enclosed network to ensure messages are not accidentally sent to unauthorized individuals.

The secure messaging platforms feature end-to-end encryption to ensure messages cannot be intercepted in transit, and all communications via the network are monitored and an audit trail is maintained. In the event of loss or theft of a mobile device, the platform allows all messages on the user’s device to be automatically erased. The platform also contains controls to prevent PHI from being copied and pasted to other apps.

Only if these HIPAA-compliant messaging apps are used can healthcare organizations enjoy the benefits of texting and avoid violating HIPAA Rules.