Many medical institutions and practices have switched to text messaging because of its ease of use through a telemedicine software platform. However, many agencies, such as the Centers for Medicare & Medicaid Services (CMS), have voiced concerns about text messaging in the medical industry because of the potential for security and patient privacy risks.
Due to the risks of text messaging as a communication tool, many healthcare providers wonder whether texting their patients is appropriate or allowed. According to HIPAA Journal, texting, in general, is not HIPAA compliant, but there are workaround solutions.
It is important to note that the HIPAA Privacy and Security Rules do not explicitly mention text messaging, but they specify certain regulations that apply to electronic communications.
To make things clearer, let’s take a closer look at the key HIPAA regulations for text messaging in healthcare.
Ordinary Text Messaging Is not HIPAA Compliant, but Secure Messaging Applications Are
Although text messaging is not a secure communication channel, HIPAA accepts that text messages are an important means of communication in healthcare. Texting is now essential for effective communication between healthcare providers and patients.
HIPAA acknowledges that many secure messaging applications satisfy HIPAA’s requirements — transmission security, access and authentication controls, audit controls, and system protection — to ensure the integrity of protected health information (PHI).
HIPAA permits texting in healthcare, but healthcare organizations and providers must use and maintain a text messaging platform that is HIPAA compliant.
HIPAA Allows Healthcare Providers to Text Patients, but They Must Warn Their Patients about the Potential Risks of Using Unsecured Channels.
HIPAA wants to steer clear of any misunderstanding surrounding texting violating its rules. The HIPAA Privacy and Security Rules do not acknowledge texting per se, but they regulate conditions that apply to texting.
For one, HIPAA states that it’s okay for healthcare providers to text their patients provided that the content of the text message does not include personal identifiers and complies with the minimum necessary standard.
Patients prefer receiving and sending text messages with their healthcare providers because it is more efficient. Meanwhile, these providers must warn patients of the risks of communicating personal information over an unencrypted channel.
More importantly, it’s okay to send texts when the mechanisms are in place to comply with the technical safeguards of HIPAA.
Covered HIPAA Entities Must Establish Procedures and Policies to Manage Users Who Have Access to PHI.
HIPAA does not explicitly prohibit covered entities from including PHI in text messaging. However, texting safeguards must be in place for text messaging to be HIPAA compliant and ensure confidentiality of PHI when it is stored or in transit.
HIPAA requires covered entities to place controls on who can access PHI and what these users do with PHI when they access it. The HIPAA Security Rule requires the following safeguards to ensure HIPAA compliance:
- Unique user IDs that systems can track to hold authorized users accountable for their activity while logged into a system containing PHI
- Access procedures during emergency or urgent scenarios where a covered entity must grant access to PHI
- Secured software that automatically logs users off after a predetermined time of inactivity
- Messaging encryption to ensure no unauthorized users can access PHI
These safeguards ensure that even when an electronic device containing PHI gets lost or stolen, the PHI remains protected from unauthorized access.
For Texting to Be HIPAA Compliant, Covered Entities Must Implement Audit and Integrity Controls into Their System.
The HIPAA Security Rule stipulates covered entities and their business associates implement audit controls to document and review activities related to PHI’s creation, modification, access, sharing, and deletion.
HIPAA explicitly states that covered entities must not alter or destroy PHI in an unauthorized manner. That is why safeguards, such as integrity controls, are vital to ensure the integrity of PHI through its processes and functions.
By implementing comprehensive audit and integrity controls, covered entities and their BAs can analyze, identify, and mitigate any present or potential risks associated with their system’s technical structure and software security relating to PHI.
HIPAA Says to Be Mindful; Do not Send Text Messages Mentioning PHI.
Most HIPAA violations are a result of negligence and lack of understanding of HIPAA regulations, especially in disclosing PHI through unsecured text messaging.
Texting is very vulnerable to human error; so physicians or medical staff can easily send sensitive patient information to the wrong number, committing a data breach. That is why you and your team must be very vigilant when texting patients, specifically if you include health data.
Suppose you want to disclose a patient’s information via text — but HIPAA states that you must avoid mentioning PHI. A solution to this problem is Curogram’s HIPAA-compliant texting platform; it integrates secure communication systems in compliance with HIPAA for data protection. With it, you can send PHI over text messages without having to worry about security threats.
Curogram Is HIPAA-Proof, Complying with All the Key HIPAA Regulations for Text Messaging.
There are clear roadmaps now for your medical practice to adopt HIPAA-compliant texting. Be aware that many free texting apps are not HIPAA compliant. Choose a platform that offers robust office-to-patient communication functionality.
Curogram is an all-in-one telemedicine solution that complies with the following HIPAA regulations:
- HIPAA Security Rule technical safeguards — access controls, emergency access procedures, automatic logoff, and encryption and decryption
- Audit controls
- Integrity controls
- Transmission security
- Breach notification rule
If you are interested in starting a trial or learning how Curogram can add $80,000/year per doctor to your bottom line, click here.short url: