Best forms of encryption for HIPAA compliant text messaging

At least 67% of the global population uses text messaging. Encryption ensures that messages sent between providers and patients are scrambled into an unreadable format, making it impossible for anyone else, including the service provider, to read the contents of the message. 

Why encryption is necessary for HIPAA compliant text messaging

Text messaging is a viable healthcare communication solution due to its common use, but it can be tricky to apply due to the lack of security offered by standard text messaging solutions. A Journal of General Internal Medicine article offered the following, “..in 2016, the Joint Commission disallowed standard text messaging to convey patient information, citing the potential for privacy violations. Instead, it stipulated that healthcare organizations must use secure text messaging systems (STMS) with key features including a secure sign on process, encrypted messaging, and delivery and read receipts.” 

One of the deficits found in text messaging is the lack of encryption. When healthcare providers and associated entities use HIPAA compliant text messaging to communicate protected health information (PHI), encryption acts like a secure envelope. This allows only the intended recipient with the correct "key" to open and read the message. This security measure protects against the risk of data breaches, cyber attacks, and unintended disclosures, which could occur if the information were intercepted during transmission.

Text messaging encryption techniques recommended for healthcare

Transport Layer Security (TLS) is a cryptographic protocol that provides secure communication over a network. It can be applied to text messaging to provide for the secure transmission of PHI. There is still the potential for added complexity and configuration required to use TLS.

Asymmetric encryption, also known as public key encryption, uses a pair of keys, a public key for encryption and a private key for decryption. This method eliminates the need to securely share a single key between the sender and receiver. The potential downside is the slower encryption and decryption process compared to symmetric encryption.

Symmetric encryption is a type of encryption where the same key is used for encryption and decryption. It is a faster method compared to asymmetric encryption but requires a secure method to share the key between the sender and receiver. However, there is the risk of key compromise, which could lead to unauthorized access to PHI.

How to implement HIPAA compliant text messaging 

1. Partner with a HIPAA compliant text messaging vendor: Vet and select a vendor specializing in encrypted text messaging solutions for healthcare. Making sure that they are willing to sign a business associate agreement (BAA). Consider vendors known for their work in secure patient engagement, like Paubox.
2. Customize message templates: Develop message templates for various follow up scenarios, personalized with the patient’s name, medication details, and specific follow up instructions. Templates should be reviewed and approved by legal and compliance teams for HIPAA adherence.
3. Patient consent and onboarding: At discharge or after the visit, inform patients about the text messaging program. Use educational materials that discuss the benefits and security of the program. Also, make sure you have documented written consent.
4. Integrate text messaging into discharge process: Train staff on how to enroll patients in the text messaging program during the discharge process, including how to input patient information and consent into the system.
5. Automate follow up and medication reminders: Set up the system to automatically send follow up care instructions and medication reminders based on the discharge date and prescribed treatment plan. 
6. Monitor engagement and respond to queries: Designate staff members to monitor patient responses to text messages and provide timely answers to questions. Establish protocols for escalating concerns that cannot be addressed via text.
7. Measure impact and adjust strategy: Analyze program outcomes, such as readmission rates, medication adherence rates, and patient satisfaction scores. Adjust the text messaging strategy based on these findings to improve patient outcomes.

See also: The guide to HIPAA compliant text messaging

FAQs

Can any text messaging app be used for communicating PHI?

No, not all text messaging apps are suitable for communicating PHI. 

What is PHI?

PHI refers to any information in a medical record or other health-related information that can be used to identify an individual and that was created, used, or disclosed in the course of providing a healthcare service.

Can emails be HIPAA compliant for sharing PHI?

Yes, emails can be HIPAA compliant for sharing PHI if they are properly encrypted and secure, and if the email service provider enters into a BAA with the healthcare entity.