Do texts between providers need to be HIPAA compliant?

Texts between healthcare providers must be HIPAA compliant to protect patient privacy and secure electronic protected health information (PHI). HIPAA regulations cover all communication channels, requiring safeguards to prevent unauthorized access. To meet HIPAA standards, providers should avoid including patient-identifiable information, use encrypted messaging platforms, and consider secure alternatives like HIPAA compliant emails.  

How do texts between providers fall under HIPAA?

HIPAA does not directly address text messaging but applies to all forms of electronic communication. The HIPAA Security Rule mandates secure practices to protect patient privacy and electronic PHI. In a recent memorandum, the Centers for Medicare & Medicaid Services (CMS) said that providers who choose to incorporate texting into their workflows and EHRs are expected to “implement a platform that meets the requirements of the HIPAA Security Rule and the HITECH Act Amendment 2021 as well as the [Conditions of Participation].” Healthcare providers must adhere to specific guidelines, avoiding unsecured methods and using HIPAA compliant text messaging platforms with authentication features to ensure the confidentiality and security of sensitive patient information during text communications.

What HIPAA requirements apply to text message communication?

• Patient consent: HIPAA requires healthcare providers to prioritize obtaining clear, written consent from patients before using text communication. This is foundational in aligning with patient preferences and ensuring informed decisions. Providers should communicate potential risks associated with unsecured texting during the consent process.
• Documentation: HIPAA mandates the establishment of a clear record of patient consent for text communication, including detailed notes on any warnings provided regarding associated risks. This documentation is tangible proof of compliance.
• Security measures: HIPAA emphasizes using secure messaging platforms with encryption to safeguard patient information. Strict access controls ensuring only authorized individuals access messages with PHI aligns with HIPAA's security requirements.
• User authentication: HIPAA requirements for user authentication involve strengthening measures such as password protection and multi-factor authentication. This ensures that only authorized personnel can access sensitive patient information, meeting HIPAA's standards for secure access.
• Audit trails: Maintaining detailed audit trails is a specific requirement outlined by HIPAA. Regular monitoring and recording of user activity, as part of the audit trail functionalities, promote accountability and support compliance with HIPAA regulations on data access.
• Avoidance of patient-identifiable information: HIPAA requires exercising caution to avoid including patient-identifiable information in messages. 
• HIPAA compliant platforms: HIPAA requires healthcare providers to choose messaging platforms that align with its regulations. Ensuring selected platforms offer business associate agreements (BAAs) and feature security elements, including encryption and audit trail functionalities, supports compliance with HIPAA standards for secure communication practices.

Ensuring HIPAA compliance in texting between providers

• Exercise caution in sharing information: To navigate HIPAA compliance, healthcare providers must exercise caution when sharing information through text messages. This involves a conscientious approach to avoid the accidental inclusion of patient-identifiable details.
• Avoiding the inclusion of unnecessary PHI in text messages: Avoiding the inclusion of unnecessary PHI in text messages is the first line of defense. This precautionary measure prevents unauthorized access to sensitive patient information during electronic communication.
• Using HIPAA compliant platforms: Additionally, healthcare providers should use HIPAA compliant platforms designed for secure messaging, like Paubox. These platforms come equipped with encryption features, authentication measures, and audit trail functionalities, ensuring a secure environment for communication and protecting the confidentiality of patient data.
• Exploring secure alternatives: HIPAA compliant email and landline calls with appropriate security measures offer additional options for healthcare professionals to exchange information while upholding HIPAA standards. These alternatives provide secure channels that mitigate the risks associated with traditional, unsecured text messaging.
  

FAQs

Can healthcare providers use regular SMS for patient communication?

No, standard, unencrypted SMS is generally not HIPAA compliant for patient communication. Providers should use secure messaging platforms with encryption to ensure PHI security.

Are there specific guidelines for obtaining patient consent for text communication under HIPAA?

HIPAA requires healthcare providers to obtain explicit written consent from patients before engaging in text communication. They must clearly communicate the potential risks associated with unsecured texting.