I continue to get questions about texting under HIPAA. The most recent questions were in an email as follows:
- If we require our employees to maintain password protection on their smart phones, tablets, etc., can we communicate PHI to them via text messaging?
- Is there any level of PHI that could be shared via unsecure text messages, such as name and address or name and telephone number?
- Are you aware of any text messaging applications that are HIPAA compliant while being low cost?
- If a client requests non password protected email communications, such as receiving invoices, are we allowed to honor this request, or must we password protect such communications against the client’s wishes?
- If we are communicating employee to employee via email in our company “domain,” are we obligated to password protect PHI?
Before answering these discrete questions, let’s take a global view of whether HIPAA permits texting and, if so, under what conditions.
First, HIPAA, particularly its Security Rule, does not prohibit any form of electronic transmission of protected health information (“PHI”). You just have to meet the standards and implementation specifications of the Rule. HIPAA defines “electronic media” as follows:
Definition of electronic media. Electronic media is defined by the security rules as:
- electronic storage media including computer hard drives, and any removable/transportable digital memory medium such as magnetic tape or disk, or digital memory card; and
- transmission media used to exchange information already in electronic storage media, for example extranet, leased lines, dial-up lines, private networks; and the physical movement of removable/transportable electronic storage media.
Certain transmissions, such as paper-to-paper faxes, person-to-person telephone calls, video teleconferencing and/or messages left on voicemail, do not constitute transmission by “electronic media” and, accordingly, are not subject to the HIPAA security rules.
Note that this exception for paper faxes applies even if the receiver of the transmission receives the fax via computer.
Source: 45 C.F.R. § 160.103.
One might wonder why text messaging is covered by HIPAA’s Security Rule transmission media rules, when leaving a voice message is not. The difference is that the voice mail message does not start out in electronic format. It is only stored electronically. That distinction does not mean, however, that you don’t have to protect any PHI in the voicemail message, because the Privacy Rule, which applies to all PHI, not just electronic PHI as the Security Rule does, has a security component. 45 C.F.R. § 164.530(c). This guidance notes that the Privacy Rule’s safeguards standard is flexible and does not prescribe any specific practices or actions that must be taken by covered entities. See hhs.gov, Office for Civil Rights, “The HIPAA Privacy Rule and Electronic Health Information Exchange in a Networked Environment.”
Thus, HIPAA permits the use of text messaging if the Security Rule’s standards are met, which should also qualify as “appropriate safeguards” under the Privacy Rule.
Among other benefits, texting is fast and direct, and it simplifies the traditional, laborious pager and callback workflow that hospitals and other organizations have used for years. Balancing against these benefits, however, are security concerns. Text messaging is inherently unsecure. For example, text messages containing electronic protected health information (“EPHI”) can be read by anyone and forwarded to anyone, remain unencrypted on telecommunication providers’ servers, and stay forever on senders’ and receivers’ phones. Further, senders cannot authenticate the recipient of SMS messages. Studies have shown that 38 percent of people who text have sent text messages to the wrong person. Consequently, the Joint Commission, formerly known as the Joint Commission on Accreditation of Healthcare Organizations, has severely limited physicians from using text messaging for any communication that contains EPHI, by establishing Administrative Simplification Provisions that serve as guidelines for developing secure communication systems:
- Secure data centers—Healthcare organizations typically store patient information in either onsite or offsite (cloud) data centers. HIPAA requires these centers to have a high level of physical security, as well as policies for reviewing controls and conducting risk assessment on an ongoing basis.
- Encryption—EPHI must be encrypted both in transit and at rest. Note that this requirement goes farther than HIPAA, which requires encryption only if the covered entity determines that it is reasonable and appropriate and that a lesser security measure is not reasonable and appropriate or that no such measure is necessary. 45 C.F.R. § 306(d)(3).
- Recipient authentication—Any communication containing EPHI must also be delivered only to its intended recipient. A texting solution should allow the sender to know whether, when, and to whom a message has been delivered.
- Audit controls—Any compliant messaging system must also have the ability to create and record an audit trail of all activity that contains EPHI. For a text messaging system, this requirement includes the ability to archive messages and information about them, to retrieve that information quickly, and to monitor the system.
American Academy of Orthopaedic Surgeons. American Association of Orthopaedic Surgeons, Andrew A. Brooks, MD, “Healthcare Texting in a HIPAA-Compliant Environment: Texting speeds communication but could put you at risk.” See New Guidance on Posting, Texting, and Email for Doctors: HIPAA & HITECH Act Blog by Jonathan P. Tomes.
For creating a policy on mobile electronic devices, covered entities can choose from three approaches:
- Forbid the use of text messaging in the organization for work purposes. This approach may be inefficient and hard to audit for compliance, to say nothing of hard to enforce.
- Allow text messaging in the covered entity but not for transmitting PHI. This approach acknowledges the benefits of the technology and provides guidelines and provisions around its use. This type of policy is better than the first option because the chief information officer (“CIO”) is taking responsibility for the use of the devices and providing some direction. Policies may address message life, password format, password timeout, remote erase for email, and other specifics. Ultimately, though, this approach can also be hard to enforce, and the possibility remains that EPHI will be sent to a vendor or an out-of-IT-network affiliate.
- Create a mobile device strategy. This option embraces the benefits of the technology and acknowledges that real-time communication is paramount to the success of the organization. In health care, real-time communication can mean the difference between life and death. With this approach, the technology is fully secured and can be used efficiently and effectively.
Unless the first approach is selected, the covered entity must conduct and document a written risk analysis, implement reasonable and appropriate security measures, and update the risk analysis periodically and/or as conditions change.
EMR & HIPAA , An Open Forum for EMR, EHR, HIT and HIPAA Related Information, Cliff McClintick, “A CIO Guide to Electronic Mobile Device Policy and Secure Texting.”
If text messaging is permitted, having patients sign an informed consent to the use thereof is recommended. See my sample Text Messaging Policy and User Agreement discussed on my June 29, 2014 blog post.
With that background, let’s answer the questions that engendered this blog post:
- If we require our employees to maintain password protection on their smart phones, tablets, etc., can we communicate PHI to them via text messaging?
Whether you have them maintain password protection will not completely make the use of such devices compliant. If your risk analysis demonstrates that password protection is reasonable and appropriate, it could substitute for encryption (but consider the Joint Commission requirement for encryption discussed above. Beyond password protection, consider whether you need business associate agreements with service providers, an audit capacity, and the like, as suggested above.
- Is there any level of PHI that could be shared via unsecure text messages, such as name and address or name and telephone number?
Name, address, and telephone number can certainly qualify as PHI, and even if it didn’t, it might lead to identity theft anyway. That being said, such largely sanitized data may require less security than more sensitive data. Not to beat a dead horse, but you figure this issue out in your risk analysis.
- Are you aware of any text messaging applications that are HIPAA compliant while being low cost?
Yes, but it is against our policy to do so in this blog. You can find many on the internet. If you find one that looks good, email me, and I’ll let you know what our tech expert thinks.
- If a client requests non password protected email communications, such as receiving invoices, are we allowed to honor this request, or must we password protect such communications against the client’s wishes?
Yes, under the patient’s right to alternate communications, you may, unless it would be unreasonable to do so.
- If we are communicating employee to employee via email on our company “domain,” are we obligated to password protect PHI?
Same answer as above re password protection, but remember that health information maintained or transmitted purely for employment purposes is not PHI.
Hope this helps!
If you would like to buy a one-year subscription to the Premium Member section of our Veterans Press website, you can do so here. Better yet, you can have a free one-year subscription if you buy the complete HIPAA Compliance Library. If you would like to renew your membership or have forgotten your password, please leave us a message on veteranspress.com.