How to ensure text messaging compliance during HIPAA audits

Conducting audits allows organizations to determine if they meet the necessary policies and procedures for compliance with required standards. Text messaging is a popular communication channel in healthcare, and conducting HIPAA compliance audits helps maintain patient privacy when using this medium.

The final omnibus rule and its role in regulating ePHI 

The Final Omnibus Rule is a set of revisions to the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules. It expanded the definition of business associates to include entities that handle ePHI on behalf of covered entities. This means that if a healthcare organization uses a third-party text messaging platform to transmit ePHI, that platform would be considered a business associate and must comply with HIPAA regulations. 

It also strengthened the required privacy and security protections for ePHI. This led to the expansion of breach notification requirements and more stringent penalties for violations committed in the protection of ePHI. The main aim of the revision was to provide patients with greater control over their health information, enhance privacy and security safeguards, and promote compliance across the healthcare industry.

Related: How do I know when my HIPAA privacy obligation for email encryption ends?

Assessing text messaging compliance

During a HIPAA compliance audit, the assessment of text messaging usage in a healthcare organization focuses on evaluating whether the organization's practices align with HIPAA requirements and ensure the privacy and security of protected health information (PHI). The specific focus and depth of the assessment may vary depending on the scope of the audit and the auditors' requirements.

The aspects of text messaging to evaluate

1. Policy and procedure review: The auditors will examine the organization's policies and procedures related to text messaging. They will assess whether there are clear guidelines in place regarding the appropriate use of text messaging for transmitting PHI, including any restrictions or limitations.
2. Risk analysis and risk management: Auditors will review the organization's risk analysis and risk management processes specific to text messaging. They will assess whether the organization has identified and addressed potential risks associated with transmitting PHI via text message.
3. Technical safeguards: The auditors will evaluate the organization's technical safeguards for text messaging, such as encryption, access controls, and authentication mechanisms. 
4. Business associate agreements: If the organization uses third-party text messaging platforms or services, auditors will review the business associate agreements (BAAs) in place. 
5. Documentation and record keeping: The auditors will request documentation and records related to text messaging practices. This may include logs of text message exchanges, documentation of security measures implemented, employee training records, and any incident reports or breach notifications related to text messaging.
6. Compliance with breach notification requirements: Auditors will assess whether the organization has complied with HIPAA breach notification requirements specific to text messaging.

Common violations arising from HIPAA audits 

During HIPAA compliance audits, auditors often focus on several common areas of concern or violations related to text messaging. These include: 

1. Use of unsecured platforms, such as providers that are not HIPAA compliant
2. Lack of encryption
3. Failure to obtain patient authorization 
4. Insufficient access controls
5. Inadequate employee training and awareness
6. Failure to maintain documentation and records
7. Insufficient business associate agreements (BAAs)
8. Lack of audit controls and monitoring

Corrective actions that healthcare organizations can implement 

Implementing corrective measures may include adopting secure text messaging platforms that offer end-to-end encryption and other necessary security features. Additionally, developing and enforcing clear policies and procedures specific to text messaging can provide guidance in navigating avoidable violations. All of this goes hand in hand with engaging trustworthy and efficient vendors in all methods of communication, from texting to HIPAA compliant email.

Related: HIPAA's Transaction and Code Sets Rule