Texting, HIPAA Compliance and Assurance

When the Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996, texting was not a mainstream form of communication.  Since then, the world has changed – so how do clinicians remain compliant while still using communication tools in the modern environment?

While HIPAA does not address text messaging in specific language, it does contain a Security Rule regarding controls of access, integrity, methods for authentication, and transmission security when protected health information is being submitted electronically.  Because of the regulations for electronic submission, most common SMS (text) and IM (instant messaging) platforms are in violation of HIPAA.  

A quick review of the Security Rule:

  • Access to PHI must be limited to authorized personnel who require the information to do their jobs – the “need to know” rule.
  • The activity of authorized users must be monitored by a security system.
  • Those with permission to access PHI must authenticate their identity with a centrally issued username and PIN.
  • Policies and procedures must be in place to prevent PHI from being altered or destroyed.
  • Data transmitted beyond the organization’s internal system should be encrypted.

Unlike a face-to-face interaction or even a phone call, one cannot be certain that the text was received by the right person at the right number, nor is there any control over who picks up the phone and reads it. Texts can also be modified, forwarded to others, and remain accessible on service providers’ servers indefinitely.

Over the past few years, many healthcare organizations have had a major increase in professionals using their personal mobile devices to support their work. With the pressures to work faster, see more patients, and communicate as a team – it is no surprise that clinicians have gravitated toward texting.  It is easy, convenient, and can be done on-the-go from anywhere. Fines for breaching HIPAA can range from $100 to $50,000 per day for healthcare organizations, depending on the situation.  Healthcare organizations simply cannot afford to turn a blind eye to texting in violation of HIPAA; they must create a policy and workflow that supports staff yet remains in compliance. 

In alignment with HIPAA, CMS issued guidelines under its Conditions of Participation (CoPs), beginning in 2017.

“In order to be compliant with the CoPs or CfCs, all providers must utilize and maintain systems/platforms that are secure, encrypted, and minimize the risks to patient privacy and confidentiality as per HIPAA regulations.”

One key caveat of the CMS rule is that “CMS does not permit the texting of orders by physicians or other health care providers.” Obviously, texting in a healthcare environment must be done with extreme care, and with an assurance that all conditions are met.  So what are those specific requirements? HIMSS has offered specific guidance about texting between clinicians and patients:

HIPAA Texting Guidelines

To safely use texting in a healthcare setting, remember the following items:

Do:

  • Ask for consent before texting a patient
  • Make sure that you are only texting PHI to clinicians that have a “need to know”
  • Password protect your phone
  • Double check that the number is correct before texting
  • Keep your cell phone secure on your person
  • Delete text messages after communication is complete and documented as needed
  • Avoid storing a first and last name associated with the texting phone number
  • Respond with a new text message each time instead of replying to the original

Texting in healthcare is certainly a useful form of communication that is here to stay.  Healthcare organizations with policies and education in place for texting empower clinicians to communicate faster and reach patients – wherever they are.

By knowing the HIPAA Security Rule and the guidelines above, healthcare workers and practices can absolutely maintain compliance when transmitting PHI via texting, while also continuing to provide a high level of personalized patient care.