The HIPAA regulations regarding text message (SMS) communication are as follows: it is acceptable to interact with a patient through text message (SMS) if the patient initiated the contact or specifically requested private conversations via text message. However, in these cases, the patient must be informed about the risks associated with text messaging, and this warning must be documented. In all other scenarios, including provider-to-provider communication, certain conditions must be met in order for text messages (SMS) to comply with HIPAA regulations when transmitting PHI. Unfortunately, most text messages (SMS) fail to meet these requirements due to their lack of encryption, inability to retract messages sent to the wrong recipient, and vulnerability to interception on public Wi-Fi networks. Although there are mechanisms available to address these issues with text messages, they are seldom utilized. Additionally, problems arise from the fact that text messages (SMS) are unaccountable and persist on service provider servers indefinitely. To resolve these concerns, the best approach is to avoid including any PHI in text messages (SMS) altogether. Importantly, it is crucial to note that the HIPAA regulations for text messages (SMS) also extend to Instant Messaging services like WhatsApp and iMessage, as well as emails.
Most of the regulations pertaining to the usage of text message, IM, and email under the Health Insurance Portability and Accountability Act (HIPAA) are encompassed within the technical safeguards outlined in the HIPAA Security Rule. These safeguards mandate the implementation of various security measures, including access controls, audit controls, integrity controls, ID authentication, and transmission security, to effectively thwart any unauthorized access to protected health information (PHI).
To ensure the monitoring and logging of all communications containing PHI, every authorized user must have a unique login username and PIN number for the selected communication mechanism. Additionally, any mechanism utilized to transmit PHI must include an automatic logoff feature to prevent unauthorized access in case of unattended desktop computers or mobile devices. It is crucial that PHI is encrypted during transmission to safeguard its confidentiality. These security measures pose challenges for HIPAA covered entities in complying with the regulations for text messages, IM, and email. Creating a communication channel that requires user login is relatively simple, but effectively monitoring their online activity and ensuring logoff presents a more complex task. Furthermore, encryption implementation is a delicate matter. For a secure communication of PHI between healthcare organizations, medical professionals, Business Associates, and other covered entities, the encryption solution must be compatible with various operating systems and devices, as well as have a standardized decryption key. These complexities justify the exemption that allows for electronic communication of PHI between medical professionals and their patients.
The regulations surrounding HIPAA for communication through text messages, IM, and email are highly intricate, with variations in application for different entities based on their size, service type, and level of PHI transmission. However, there is a solution that surmounts these regulations regardless of an organization's structure: secure messaging. Similar to text messages (SMS) or IM, secure messaging utilizes apps that enable encrypted text messages, image sharing, and group discussions. Compatible with all devices and operating systems, these apps require users to authenticate their ID through a centrally-issued username and PIN number. Safeguards are in place to prevent unauthorized access to PHI, whether from unattended desktop computers or mobile devices. Additionally, precautions are taken to prevent PHI from being copied, saved to an external hard drive, or sent to third parties outside the organization's authorized network. The network is continually monitored, and robust security measures, including automatic logoff, ensure the integrity of PHI. In the event of a lost or stolen mobile device belonging to an authorized user, administrators have the ability to remotely delete any communication containing PHI and lock the secure messaging app.
Implementing a secure messaging solution that complies with HIPAA regulations for text messages, IM, and email can bring significant benefits, particularly for healthcare organizations. One of the key advantages is the ability to conveniently send and receive protected health information (PHI) while on the move. Additionally, the inclusion of group messaging functionality expedites communication cycles and can shorten the time required to process hospital admissions and patient discharges. Moreover, when integrated with an Electronic Medical Record (EMR) system, a secure messaging solution enables the sharing of patient notes, freeing up physicians to dedicate more time to their patients. A study conducted by the Tepper School of Business at Carnegie Mellon University in 2015 revealed that the integration of such a secure messaging solution resulted in a 27% decrease in patient safety incidents and a 30% reduction in medication errors.
Quick & Simple
Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you