There have been changes to HIPAA regarding SMS texting of protected health information (PHI). Additionally, The Joint Commission recently lifted their ban on physicians texting patient orders. These changes on the regulations are aimed at protecting the integrity of PHI from the risks brought about by technological advancement and changes in clinical work practices. Regulations of HIPAA for SMS messaging aren’t just applicable for medical professionals but also extend to health insurance providers, health insurance clearing houses, and any third-party service provider who has access to PHI.
A text message will only be considered as HIPAA compliant if it meets the technical, physical, and administrative conditions that are meant to prevent breach of PHI. Some of these conditions include the following:
- There must be security measures implemented to avoid unauthorized access to PHI that is either sent or received in areas of public WiFi or on open cell phone networks.
- There must be audit logs on systems created for ensuring compliance with HIPAA regulations. This is for monitoring purposes of system administrators.
- There must be system administrators who shall oversee the policies for complying with the regulations of HIPAA for SMS messaging.
- Messaging systems should have a safety feature that can remotely delete messages when they are sent to the wrong person or to a mobile device that is stolen, lost, or misplaced.
- There must be procedures created to ensure the security of ePHI, preventing it from getting destroyed, altered, or saved to a hard drive or another mobile device.
- There must be security features to access PHI. Authorized users should be assigned of unique names or numbers to confirm identity.
- Identified risks for unauthorized access to the server containing the PHI must be eliminated.
- Authorized users must be informed of the policies created in relation to HIPAA compliance. They must also be informed of the sanctions for any violation in these policies.
- Regular risk assessments should be done to make sure that authorized users are compliant with HIPAA regulations for SMS messaging.
Text messaging in healthcare
The growing use of mobile devices has paved the way for people to embrace texting as a fast way to communicate with others. The healthcare industry is not an exemption.
In a study conducted to evaluate the use of text messaging among pediatric hospitalists, researchers found that physicians were using SMS messaging as brief way of communicating with others at work.
More than half of the respondents admitted that they sent and received work-related messages. Some of these respondents (30%) reported to have received PHI via text, but only 11% admitted that their institution offered encryption software for text messaging. The biggest hurdle is that solutions in the market currently require opening another application on the phone to send encrypted messages with PHI.
Current SMS messaging such as iMessage from Apple does not meet HIPAA guidelines, but that is the ideal solution with the best experience. The medical community would like to use their native SMS messaging application on their phone for both personal and secure message with PHI.
Will Apple or other device vendor create APIs for the healthcare encryption vendor to tap into? Until then, there will always be a check-and-balance process for the healthcare entity to ensure they are meeting HIPAA criteria. I hope that the healthcare industry comes up with a solution that meets the user’s expectation, while not complicating secure texting.
Latest posts by David Chou (see all)
- Why the CIO should take the ‘digital’ lead - January 17, 2017
- As health IT extends, Fog Computing offers the enterprise to edge users - September 8, 2016
- Security basics for healthcare CIOs - August 25, 2016