Physicians often send text messages at work, but is SMS texting a violation of HIPAA Rules? Could something as simple as an SMS message result in a HIPAA violation penalty?
Is SMS Texting a Violation of HIPAA?
Many healthcare organizations are confused about the use of text messages and whether SMS texting is a violation of HIPAA Rules. Part of the reason for the confusion is there is no specific mention of SMS text messages in HIPAA. However, HIPAA Rules do cover electronic communications, which apply to SMS messages.
As for whether SMS texting is a violation of HIPAA Rules, that would depend on the contents of the messages, to whom the messages are sent, and in the case of texting patients, whether consent has been obtained to send information via the SMS network.
There is nothing wrong per se with physicians using text messages to communicate with other healthcare professionals and care teams. Texting is a quick and easy form of sending short messages. Texting doesn’t rely on the recipient of the message being available at the time the message is sent. The message will be waiting for them when they become available.
However, SMS texting is a violation of HIPAA Rules if the text messages contain any protected health information of patients. If personal identifiers are included in the messages, along with any data that falls under the classification of PHI in HIPAA Rules, physicians could land their healthcare organization in hot water.
THE HIPAA Security Rule and SMS Messages
The HIPAA Security Rule requires covered entities to implement technical controls to ensure the confidentiality, integrity, and availability of PHI. These technical controls apply to any form of communicating PHI and are therefore relevant to SMS messages.
Technical controls include access controls that prevent PHI from being viewed by unauthorized individuals; audit controls to ensure covered entities and regulators can check to see what has happened to PHI; integrity controls to ensure PHI has not been tampered with or altered; and controls to ensure PHI cannot be intercepted in transit.
In the case of SMS messages, access controls are insufficient. If the sender or receive of an SMS message loses their device, the messages could be accessed by an unauthorized individual. There is also no guarantee that the message will be received by the intended recipient and there is no system in place that can confirm the identity of the sender or receiver of a message. It is also easy to accidentally send a message to the wrong person and messages cannot be recalled.
When PHI is transmitted outside of an organization’s area of control – beyond a firewall for instance – PHI must be protected to prevent accidental disclosure. This typically means PHI must be encrypted to NIST standards. SMS, and many forms of instant messaging (IM), lack encryption.
So, is SMS texting a violation of HIPAA if PHI is included in the message? Yes. The same applies to most forms of instant messaging.
Healthcare Organizations that Fail to Address Texting of PHI Could Receive a HIPAA Violation Penalty
SMS texting is a violation of HIPAA Rules and many healthcare organizations are allowing HIPAA Rules to be violated. The majority of healthcare professionals carry mobile phones and most send text messages. An estimated 80% of healthcare professionals use personal mobile devices, many of whom have sent or received PHI on those devices even though by doing so they are violating HIPAA Rules.
The penalties for HIPAA violations are severe. Willful violation of HIPAA Rules can attract a penalty of $50,000 per violation per day, up to a maximum fine of $1.5 million per calendar year. Ignorance of HIPAA Rules in relation to texting is not an excuse that regulators will accept.
Can Healthcare Organizations Use Texting to Communicate PHI and Avoid a HIPAA Violation?
Fortunately, healthcare organizations can take advantage of the benefits of text messages and avoid a HIPAA violation. Secure text messaging solutions have been developed by a number of solution providers. Those solutions incorporate all of the necessary controls to ensure ePHI cannot be intercepted or accessed by unauthorized individuals.
A HIPAA-compliant text messaging solution incorporates access controls to ensure only the intended recipient can access a message. Users are required to login to the system to access messages and they are automatically logged off following a period of inactivity. All users of the platform are in an enclosed network to ensure messages are not accidentality sent to unauthorized individuals.
The secure messaging platforms feature end-to-end encryption to ensure messages cannot be intercepted in transit, and all communications via the network are monitored and an audit trail is maintained. In the event of loss or theft of a mobile device, the platform allows all messages on the user’s device to be automatically erased. The platform also contains controls to prevent PHI from being copied and pasted to other apps.
Only if these HIPAA-compliant messaging apps are used can healthcare organizations enjoy the benefits of texting and avoid violating HIPAA Rules.