Healthcare service providers regularly access or communicate protected health information (PHI) between themselves or healthcare workers. An efficient and convenient way to communicate is through text messages. While this method offers speed and accessibility, it is not always secure. SMS transmissions are susceptible to a breach incident. PHI handlers must find a way to balance convenience and security, as per the Health Insurance Portability and Accountability Act (HIPAA) of 1996. HIPAA safeguards the confidentiality of patient health data.
If you are a Business Associate (BA) whose software is used to send messages or offer answering services that communicate via text, you must comply with HIPAA.
This article is for business associates who use text messaging to transmit PHI and wish to stay HIPAA compliant. You will understand the HIPAA laws for texting, and learn more about HIPAA-compliant text messaging apps and their features.
What is HIPAA compliant texting?
“HIPAA Compliant Texting” is a secure means of transmitting protected health information (PHI) by text message. There are a number of technical safeguards and procedural requirements that both a vendor (e.g. OhMD), and a covered entity (e.g. a medical practice) must adhere to.
HIPAA compliant text messaging is way of transmitting PHI securely by text message. However, you must ensure sufficient technical safeguards for electronic communications are in place to reduce the possibility of a breach or data theft.
Text messaging often occurs between healthcare facilities and patients or among the members of the healthcare service. If the text message contains PHI data, all employees or involved parties must maintain its confidentiality, integrity, and security.
This is because standard SMS don’t meet HIPAA standards and are stored on the service provider’s server. This is a poor practice and a disaster waiting to happen. But you can leverage the benefits of a fast and convenient method. The solution? HIPAA-compliant text messaging. However, not all communications related to health services are PHI.
To understand this better, let us consider examples of the everyday use cases of texting in the medical industry:
Example 1: Between healthcare calling services and physicians
Call centers or answering services that answer patient calls often use text messaging to relay their communication notes with a physician.
Example 2: Between co-workers of a third-party administrator
Let’s say you are a third-party administrator who stores or maintains patient data. You text your co-worker that you are taking a lunch break in the cafeteria for an hour. This isn’t PHI. But if you text a coworker that you will be in the cafeteria for an hour and are concerned for a certain patient in a certain ward, that is PHI.
When do you consider text messages HIPAA Compliant?
Whether you are a covered entity or a business associate, your text messaging is HIPAA-compliant when:
- You inform patients that using text messages is not secure or get their permission to use texts and document the consent for using SMS as a channel of communication
- You use text messages for communication when the text does not contain any personally identifiable health information
- You implement adequate encryption and backup controls and safeguards to secure PHI transmitted via messaging apps
- You conduct regular risk assessments to identify and mitigate potential vulnerabilities in your business environment.
- You use HIPAA-compliant software or server that can be accessed only by authorized entities.
- You have remediation policies in place to handle situations where the device used for transmission is lost or stolen
- The IT department securely removes all data from the device of a retired employee.
- The device is set to automatically lock after a defined period of inactivity
- You report unencrypted text messages when sent to an unintended recipient to the HIPAA security officer
- You set a message lifespan to auto-delete PHI data once it serves the purpose
- You remotely block or lock stolen devices
What are HIPAA rules for texting?
As already outlined, there are no formal guidelines on HIPAA-compliant texting with patients, but ePHI must be secured. As an organization processing patient data, you must implement safeguards to avoid data loss and legal issues.
Here are a few HIPAA rules for texting:
Enable Role Based Access
For mobile devices, those with access rights will have a passcode or password. If you use a computer or any system to send text messages, assign a unique user identification to log in and view data. If the smartphone or device used for texts is left unattended, its screen should automatically lock. All messages sent and received must be encrypted.
Implement Audit & Reporting Controls
Implement auditing and reporting controls to manage activities such as accessing and transmitting PHI. Process documentation empowers you to analyze, identify, and actively mitigate risks to PHI integrity. It allows you to examine data access records detailing which data was accessed, when it was accessed, the device used, and if it was changed for systems used for text messaging. This is applicable to any platform or system that stores, manages, or processes PHI.
As per HIPAA, server providers working for covered entities are business associates by default. So if you use an app, ensure that the server is HIPAA compliant that stores data in encoded form, and blocks unauthorized access. Standard SMS is not encrypted and sending PHI through this medium is a HIPAA violation.
Implement Technical Safeguards
Use backup controls in the cloud to recover original data if anyone with access changes or deletes it by accident or intentionally.
Create Passwords or Pins
Physicians and other healthcare workers must enter a pin or password to contact fellow workers or patients. Other methods include biometrics, fingerprint, facial recognition techniques, voice pattern, and more. Additionally, it is a good practice to avoid personal devices and use the organization’s assets.
HIPAA-compliant text messaging applications
HIPAA-compliant text messaging solutions facilitate secure texting. It implements safeguards like end-to-end encryption, access controls, strong firewalls, and more to satisfy HIPAA requirements. As a user, you can implement more controls in keeping with your organizational needs and remotely manage data. While there is no application that is the “best” for secure text messaging.
Here are a few HIPAA-compliant text messaging apps you can consider:
Spok is a HIPAA-compliant text messaging app that facilitates seamless communication between internal staff members and patients.
- It integrates with provider directories or clinical systems and is deployable on smart devices or desktops
- It sends code alerts, patient updates, appointment requests, and more
- Users can securely transmit data like images, texts, and videos
- It provides real-time access to data for all connected devices
- The cloud-based call schedules appointments, eliminates paperwork, reduces communication delays, and connects to the right service provider through speed dial
The plan starts from $86.40 per year.
TigerConnect is a secure healthcare messaging solution that empowers healthcare workers to communicate efficiently.
- It is an end-to-end encrypted application
- Users can implement custom security controls, send messages to individuals or groups, and transmit images, videos, or voice recordings
- TigerConnect has a message lifespan, this auto-delete texts after a certain period
- It allows users to recall messages sent to the wrong person
The price for TigerText will cost from $10.65 per month for both Android and iOS.
Symplr is a clinical communication, scheduling, and workforce management application. This is a HIPAA and Health Information Technology for Economic and Clinical Health Act (HITECH) compliant text messaging solution.
- It enables users to search for patient data, create follow-ups, view patient data from a centralized platform, and even message them securely
- It offers role-based messaging and community linking that sends messages to the right person
- Administrators can implement role-based teams for added flexibility
The pricing for Symplr starts is $99.00 /user /mo.
QliqSOFT enables secure HIPAA-compliant texting with patients in real-time. It facilitates an effective and safe team collaboration.
- Users can send text, voice messages, videos, and capture consent signatures
- It archives messages behind a firewall, enables administrators to manage contact lists, and secures public-facing websites over HTTPS to ensure complete encryption
- Its data center is SOC 2 certified, does not store PHI in the cloud, and helps to ensure compliance with end-user reports
Notifyd is a HIPAA-compliant messaging application for nurses and clinicians.
- It implements multiple technical safeguards like file encryption, biometric authentication, and idle screen locking
- It does not store data on devices and secures accounts with strong passwords
- Users can create role-based authentication access and permission-based checks to prevent PHI disclosure to anyone outside the organization
The pricing starts from $0.83/month.
A HIPAA-compliant text messaging solution is one way to stay secure and keep legal hassles at bay. While text solutions encrypt your data and streamline communication processes, a comprehensive, security-first approach is a must to protect your business.
An effective solution to reduce this gap is rigorous employee training on security best practices. Sprinto’s security training module contains the best practices to prevent security incidents. This training enables them with the skills and information required for emergency fire-fighting in the event of a breach.
Sprinto offers a centralized platform to train all your employees and track their progress. With Sprinto you can also track your real-time compliance status by continuously monitoring your business environment with ease.
Talk to our experts today to discuss how Sprinto can make your HIPAA compliance journey a seamless process.
What makes text messages HIPAA compliant?
Text messages are HIPAA compliant if they do not contain PHI, are encrypted, sent through a secure, HIPAA-compliant server, and the patient has agreed to communicate via text.
Do we need to take patients’ consent before sharing PHI through texting?
Yes. You must take patients’ consent and discuss the risks of text messages, and document their consent before sharing PHI through text.
Should you avoid sharing PHI over text messaging?
Regular text messages are not encrypted. Anyone can easily steal or intercept it, so you should avoid this method for communicating with patients.