The guide to HIPAA compliant text messaging

Navigating the complexities of HIPAA compliant text messaging is crucial for healthcare providers and associates handling protected health information. This guide demystifies the requirements, implementation, and potential pitfalls, ensuring your text communications align with HIPAA regulations.

Contents:

• Introduction to HIPAA compliant text messaging
• Requirements for HIPAA compliant text messaging
• How to implement HIPAA compliant text messaging
• Potential violations and fines
• FAQs

Introduction to HIPAA compliant text messaging

Text messaging is integral to communication in various sectors, including healthcare. Along with HIPAA compliant email, text messaging is among the most popular communication channels between healthcare professionals and clients. However, when it involves patient data, these communications must be secure and adhere to regulations outlined by the Health Insurance Portability and Accountability Act (HIPAA). 

Healthcare and text messaging

HIPAA compliant text messaging refers to transmitting and receiving text messages containing protected health information (PHI) in a way that aligns with HIPAA regulations. This involves using secure platforms and encryption methods to protect the data both in transit and at rest, ensuring it remains inaccessible to unauthorized individuals.

In the healthcare sector, text messaging can serve various purposes, like communication with patients, sharing patient information among healthcare providers, or assisting in discussing treatment plans.

For healthcare professionals, IT staff, or anyone else responsible for maintaining or acquiring a HIPAA compliant text messaging solution, understanding the intricacies of this complex aspect of healthcare communication is key to ensuring the privacy and security of patient information and upholding patient expectations.

Understanding HIPAA and PHI

The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. federal law enacted to protect the privacy and security of certain health information. It applies to covered entities, including healthcare providers, health plans, and healthcare clearinghouses. One of the foundational aspects of HIPAA is the protection of PHI. 

PHI refers to any information in a medical record that can be used to identify an individual, and that was created, used, or disclosed in the course of providing a health care service, such as diagnosis or treatment. This includes a wide range of identifiable health and demographic data, such as names, addresses, birth dates, Social Security numbers, and medical records.

Under HIPAA, PHI that is transferred, received, handled, or shared through electronic media is referred to as electronic Protected Health Information (ePHI). This includes PHI transmitted by electronic media, such as text messaging.

HIPAA sets forth privacy and security rules that govern the use and disclosure of PHI. The Privacy Rule, which applies to all forms of PHI, sets standards for when PHI may be used and disclosed. The Security Rule, on the other hand, sets standards for securing ePHI, specifically. It requires covered entities to implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of ePHI.

HIPAA compliant text messaging solutions must ensure that they adhere to these rules. Any text message containing PHI must be securely transmitted and stored, and only disclosed to authorized individuals. Understanding these requirements is the first step to implementing a HIPAA compliant text messaging solution.

Related: What are the 18 PHI identifiers?

Who needs to comply with HIPAA?

HIPAA regulations apply to a wide range of entities that handle PHI. These are primarily healthcare providers, health plans, and healthcare clearinghouses, but also extend to business associates. Let's delve into each of these categories:

Healthcare providers: Any medical or other health services provider that transmits health information in electronic form is considered a healthcare provider under HIPAA. This includes doctors, clinics, psychologists, dentists, chiropractors, nursing homes, and pharmacies.

Health plans: Health plans include health insurance companies, HMOs, company health plans, and government programs that pay for healthcare, such as Medicare, Medicaid, and the military and veterans' health care programs.

Healthcare clearinghouses: These are entities that process nonstandard health information they receive from another entity into a standard format or vice versa. Examples include billing services, repricing companies, or community health management information systems.

Business associates: A business associate performs certain functions or activities that involve the use or disclosure of PHI on behalf of, or provides services to, a covered entity. This could include services from data analysis and processing to billing, and even software providers that handle PHI.

Any entity that handles PHI through text messages must ensure that these communications are HIPAA compliant. This includes the healthcare providers who send and receive the messages and the companies that provide the text messaging services. 

Related: How to know if you're a business associate

The role of business associate agreements

A business associate agreement (BAA) is a written arrangement that specifies each party's responsibilities when it comes to handling PHI. It's a crucial component of HIPAA compliance and ensures that business associates understand and commit to maintaining the privacy and security of PHI.

A BAA outlines the permitted and required uses of PHI by the business associate. It stipulates that the business associate will not use or further disclose the PHI, other than as permitted or required by the contract or as required by law. It also requires the business associate to use appropriate safeguards to prevent the use or disclosure of the PHI other than as provided for by the contract.

A BAA must be in place if a healthcare provider uses a third-party text messaging platform to communicate PHI. The BAA ensures that the text messaging platform will appropriately safeguard the PHI it receives or creates on behalf of the healthcare provider. It's a required step in ensuring that text messaging involving PHI is HIPAA compliant.

Related: Business associate agreement provisions

Requirements for HIPAA compliant text messaging

HIPAA compliant text messaging involves more than just sending a text message from a secure platform. It requires a comprehensive approach that takes into account several requirements:

• Secure platforms: The platform used for sending and receiving text messages must be secure. This means it should have security measures in place, including encryption, to protect the integrity and confidentiality of PHI.
• Encryption: HIPAA requires that PHI be encrypted during transmission. This means the data must be transformed into a code that can only be accessed with a key. Encryption ensures the data remains unreadable if a text message containing PHI is intercepted during transmission.
• Access controls: Only authorized individuals should have access to PHI. This means the text messaging platform should have access controls, such as unique user identification, emergency access procedures, automatic logoff, and encryption and decryption.
• Audit controls: HIPAA requires covered entities to implement hardware, software, and procedural mechanisms to record and examine access and other activity in information systems that contain or use PHI.
• Integrity controls: Covered entities must have measures to ensure that PHI is not improperly altered or destroyed. Electronic measures must be implemented to confirm that PHI has not been improperly altered or destroyed.
• Transmission security: Covered entities must protect against unauthorized access to PHI that is being transmitted over a network. This includes ensuring that any text messages containing PHI are not improperly modified without detection until disposed of.
• Business Associate Agreement: If a third-party service is being used to send or receive text messages containing PHI, a BAA must be in place between the healthcare provider and the service provider.

How to implement HIPAA compliant text messaging

Implementing HIPAA compliant text messaging involves a series of steps that ensure the privacy and security of PHI. 

1. Choose a secure platform: The first step is to choose a secure text messaging platform that offers encryption. The platform should also have robust access controls and audit controls in place.
2. Sign a business associate agreement: If you're using a third-party service for text messaging, make sure to sign a BAA with them. This agreement will ensure that the service provider knows their responsibilities when handling PHI.
3. Train your staff: Your staff should be trained on the importance of HIPAA compliance and how to use the text messaging platform securely. They should know the potential HIPAA violations and how to avoid them.
4. Implement policies and procedures: You should have clear policies and procedures for using text messaging to communicate PHI. This includes who can send and receive text messages, what information can be included in the messages, and how to handle any potential security incidents.
5. Regularly review and update your practices: Regularly review and update your text messaging practices to ensure they remain compliant with HIPAA regulations. This includes periodically training your staff and updating your policies and procedures.

Potential violations and fines

Non-compliance with HIPAA regulations can lead to severe consequences, including potential violations and fines. Violations can occur in various ways, such as unauthorized access to PHI, loss or theft of devices containing PHI, lack of proper safeguards, and failure to conduct risk assessments.

The fines for HIPAA violations are tiered based on the level of negligence. They can range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for each violation.

It's also important to note that violations can lead to other consequences beyond financial penalties. They can damage a healthcare provider's reputation, lose patient trust, and sometimes even criminal charges.

Potential violations could occur if text messages containing PHI are intercepted during transmission, if they are accessed by unauthorized individuals, or if they are not properly disposed of.

Remember, the goal of HIPAA is to protect the privacy and security of patients' health information. By adhering to HIPAA regulations, healthcare providers avoid potential violations and fines and demonstrate their commitment to their patients' privacy and well-being.

FAQs

Here are some frequently asked questions about HIPAA compliant text messaging.

When does my HIPAA liability end when sending a text message?

The sender's HIPAA liability for a text message ends once the message is securely delivered to the intended recipient. The recipient then assumes responsibility for maintaining the security of the PHI.

Am I responsible for incoming text messages to be HIPAA compliant?

As a healthcare provider or a business associate, you are responsible for ensuring that the systems you use to receive and store incoming text messages containing PHI are HIPAA compliant. However, you are not responsible for the sender's compliance with HIPAA when they send you a message. If you receive PHI through non-compliant methods, it's best practice to inform the sender of the correct, compliant methods to share PHI.

Is password protection sufficient for HIPAA compliant text messaging?

While password protection is a crucial part of securing PHI, it's not sufficient on its own for HIPAA compliance. HIPAA compliant text messaging also requires encryption, secure platforms, access controls, audit controls, integrity controls, and transmission security.

How should international companies handle HIPAA compliance?

International companies that deal with PHI of U.S. patients are required to comply with HIPAA regulations. This includes ensuring their text messaging practices are secure and compliant with HIPAA.

Can patients opt out of HIPAA protections?

Patients cannot opt out of HIPAA protections for their PHI. HIPAA is a federal law that provides baseline protections for all patients' health information.

Do text messages qualify under the HIPAA Conduit Exception rule?

No, text messages do not qualify under the HIPAA Conduit Exception Rule. The Conduit Exception Rule applies to entities that merely transmit PHI and do not have access to the content of the information. These entities include services like the postal service or internet service providers.

Text messages, however, are typically stored on the sender's and receiver's devices and potentially on the service provider's servers. Because this information can be accessed, even if not routinely accessed, text messaging platforms do not fall under the Conduit Exception Rule and must comply with HIPAA regulations if they transmit or store PHI.

Related: HIPAA Conduit Exception Rule – what is it?

What is HITRUST?

A: HITRUST is a standards development organization that was founded in 2007. It develops and maintains a healthcare compliance framework called the HITRUST CSF. The HITRUST CSF is designed to unify security controls from federal law (HIPAA), state law, and non-governmental frameworks (PCI-DSS) into a single framework tailored to use in the healthcare industry.

Paubox solutions have been HITRUST CSF certified since 2019.