True Or False: The Facts Surrounding Hipaa-Compliant Texting
True or False: The Facts Surrounding HIPAA-Compliant Texting
This embrace of texting carries over into many industries, including the medical world—but it also raises significant questions about confidentiality. Given the strict privacy laws surrounding our medical data, is HIPAA-compliant texting possible?
Source: Shutterstock
A Brief Background on HIPAA
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) protects an individual’s sensitive medical information. In particular, the HIPAA Privacy Rule outlines the rules for using and sharing private health information, also known as protected health information or PHI.
HIPAA protects an individual’s right to privacy over their medical data. At the same time, it also ensures even strict privacy rules won’t affect the provision of quality healthcare, nor will it endanger public health.
When communicating with patients, medical health professionals must strictly conform to HIPAA guidelines. This means any form of communication between a patient and their health provider should remain in the utmost confidence. The burden of preserving that confidentiality lies with the healthcare company.
In general, texting presents a number of concerns related to data privacy. Of course, the decision to disclose information via text messaging or any other non-HIPAA-compliant methods rests on the individual.
What Does HIPAA Compliance Look Like?
HIPAA mandates that companies that routinely handle protected health information should have certain security measures in place to prevent unauthorized disclosure. Specifically, the law stipulates that companies should have adequate measures in three areas: privacy, security, and breach notification.
Healthcare facilities and medical professionals began migrating to computer systems to benefit from the advantages of digitization. However, this system of storing information in computers also placed information at risk of being stolen, tampered with, or released. HIPAA compliance ensures these companies take the necessary precautions and implement systems that keep data safe and secure.
A key factor of compliance is making sure that, aside from the healthcare provider, only the patients have access to their own records. Retrieving information from a HIPAA-compliant records storage facility should feature physical safety measures such as
- Limited access to the records area
- Authorization policies governing who can use devices that access PHI
- Set rules on the movement and transmission of PHI using electronic media
The US Department of Health and Human Services (DHHS) also requires medical centers to implement additional measures to ensure full compliance. These include enforcing policies that restrict access to data, such as automatic shutoffs and applying encryption methods. DHHS also requires organizations to create and submit regular audit reports and logs that show HIPAA compliance.
What Is HIPAA-Compliant Texting?
Source: Shutterstock
While texting does offer a world of convenience, it falls flat in terms of security. For example, you can’t take back a message you’ve inadvertently sent to the wrong person. While some apps allow you to delete a message you previously sent, it won’t prevent anybody from seeing a wrongly-sent message.
In addition, people who leave their smartphones lying about without adequate locks will often leave messages out in the open for everyone to see. What’s more, 8.7 million cell phones were stolen or lost in 2021, leaving much private information at risk.
Considering all of this, texting is usually not HIPAA-compliant. The majority of popular messaging apps rarely have all three HIPAA requirements—access controls, audit controls, and encryption—present. As such, the health or medical facility won’t be able to guarantee privacy should they decide to transmit medical information via text.
- Access controls assign varying levels of PHI access. The type of access level depends on the job role.
- Audit controls ensure the frequency at which data gets accessed remains within normal ranges.
- Encryption ensures that without a decryption key, users will find the data stored in the device as unintelligible gibberish.
In addition, HIPAA-compliant texting systems should also have structures in place to check the integrity of the information being processed.
Do You Need HIPAA Compliance in All Text Messages?
If HIPAA guidelines discourage the use of text messaging among patients and their healthcare partners, why not ban texting across the board? Unfortunately, it’s not as simple as that. As many as 3 billion people send and receive text messages each day. This roughly translates to a daily barrage of 23 billion text messages across the globe.
Texts are less demanding than phone calls but carry more urgency than an email. As long as you have a phone with a working signal, you can send and receive messages from another phone. This convenience lets healthcare providers offer an additional level of service to their patients. Still, HIPAA compliance must be taken seriously.
What Are the Rules for HIPAA-Compliant Texting?
HIPAA compliance is required in all modes of communication between providers and patients. This includes text messages, although HIPAA does give texting a little bit of breathing room.
Texting only becomes HIPAA-compliant when protected health information is involved. In addition, entities become HIPAA-compliant only if they follow the rules regarding texting. This includes only using secure systems and platforms when texting patients.
Using a regular smartphone and typical messaging apps is a big no-no. So is asking an office assistant to send a message regarding a patient’s health records from their personal devices. At minimum, any text-based communication with patients should utilize a designated company phone that’s HIPAA-compliant.
Can You Send Non-HIPAA-Compliant Text Messages?
The only exception to HIPAA compliance texting is sending messages that do not contain any references or details of protected health information. Common examples would be office assistants using their personal phones to confirm appointments with patients. However, doing so requires very careful message compositions that will need additional checking before hitting send.
Also note that even if you send a non-HIPAA-compliant text, a patient’s reply that contains any PHI requires you to immediately switch to your HIPAA-compliant texting system. As some patients tend to overlook or not know HIPAA measures, your office should be proactive to prevent any serious violations.
Best Practices for HIPAA-Compliant Texting
Don’t be intimidated by HIPAA-compliant texting should you choose to implement it. The key is to ensure proper security measures are in place. Here are some best practices:
Always Take Patient Consent
Patients must give their informed, written consent before accepting text alerts from their doctor, laboratory, or health insurance provider. At the same time, HIPAA’s texting guidelines require companies to make it clear to recipients that text messaging is not a secure method. As such, companies must make sure the patient understands and accepts the risks associated with data privacy and texting.
However, permission doesn’t necessarily mean blanket authority to disclose all information via text messaging. Patients may consent to receive text messages on non-protected medical information such as appointments or general reminders. But receiving medical information via SMS requires specific written permissions.
In addition, when providers send non-PHI messages to clients and clients reply with a PHI reference, providers must switch to a HIPAA-compliant platform. Only then can they resume the conversation.
Establish Rules Around PHI Access When Texting
Once the patient explicitly gives their consent to HIPAA-compliant texting services, it’s time to establish additional ground rules. For instance, patients should realize compliance with HIPAA regulations focuses on information protection and security, not convenience. Expecting an easier process of receiving medical information via HIPAA-compliant texting isn’t happening. This confirms to the patient that security is a serious concern and of paramount importance for the industry and the government.
HIPAA compliance should also apply across the healthcare provider’s staff. However, not everybody gets to access everything, nor should all staff members have the same access levels to patient records. As a result, businesses should assign access to people in their organization depending on how much information a worker requires.
In addition, administrators should activate the following features:
Unique User IDs
The unique ID gives exclusive but limited access to PHI. At the same time, that unique identification allows the system to track and hold workers accountable. A quick scan can show which employees are currently accessing HIPAA files or making frequent trips to the library.
Emergency Access Procedures
During an emergency, companies should remain ready for any eventuality. For example, what if a power outage occurs? The emergency access procedure lists which members of the organization can still access important data during an emergency.
Auto Lock and Logout
As part of heightened data security measures, users should avoid staying logged on platforms. At minimum, HIPAA devices should have an auto-lock feature. As soon as the system remains idle for several minutes, the auto-lock activates. After an additional few minutes, where the auto-lock features remain engaged, the system should also automatically log out users and prevent further access.
Implement Multi-Factor Authentication
When sending PHI to patients, the system should take pains to ensure the information goes only to the designated recipient. That’s why it’s important to implement additional safety features such as multi-factor authentication. Otherwise, providers run the risk of disclosing sensitive information to someone not authorized to receive it.
HIPAA-compliant authentication methods include the issuance of one-time passwords to a patient’s mobile device. A smart key or token is also an excellent means of verifying a user’s identity. For more modern smart devices, included biometrics such as face or fingerprint recognition can also serve as additional authenticators. Using one or combining these methods can verify whether the user claiming to be the actual PHI recipient really is who they say they are.
Encrypt Text Messages
Transmitting protected health information can also run into interference or eavesdropping. HIPAA requires companies to exert efforts to ensure the privacy and security of messages being sent. In fact, HIPAA set two requirements for a secure texting experience:
- Protect the integrity of PHI during transmission
- Encrypt PHI during transmission
The first requirement ensures the content of the original message stays the same when it arrives at its intended recipient. Data integrity requires that no part of the PHI gets modified or erased before and during transmission.
More importantly, HIPAA-compliant texting should undergo encryption during the transmission process. If the message gets intercepted or inadvertently sent to someone else, the full encryption can render the information useless and unreadable to whoever finds it. HIPAA gives companies leeway in choosing which encryption vendor can provide a minimum requirement.
Ensuring both the integrity and security of PHI are critical steps that can establish your practice as a leader in HIPAA-compliant texting and communication services.
Source: Shutterstock
When Performing HIPAA-Compliant Texting, Avoid Sending to Landlines
Healthcare providers and ancillary services often deal with multiple patients at the same time, so sending individual HIPAA-compliant text messages can be a formidable task. Thankfully, automated systems provide additional safety and security measures, which keeps the PHI entrusted in your digital records safe as well.
Your staff should do everything it can to ensure the patient’s contact number is in fact a legitimate cell phone number and not a landline. Sending text messages to landlines is not only a big waste of time and effort, but it can also mean a potential violation of HIPAA rules.
A service such as Landline Remover is a great way to automatically remove landline numbers in your contact lists. Simply drop your list of phone numbers into Landline Remover’s website, and the platform will quickly weed out the ones you can’t text to.
Find out how effective Landline Remover is—visit our site today and get 1000 free credits.