With every rose, however, there is a thorn. And texting’s thorn is the threat of HIPAA violations when transmitting protected health information (PHI). HIPAA does not expressly prohibit texting to communicate health information, but it does require a system of physical, administrative, and technological safeguards that ensure the privacy and security of PHI communicated through texts. In other words, texting can be an acceptable form of communication between providers (and even providers and their patients), but only if appropriate precautions are taken.
Traditional SMS text messages (the kind sent from one mobile device to another) are generally unsecure for numerous reasons:
- They lack encryption;
- It is easy to send a text to an unintended recipient (i.e., wrong number);
- Wireless carriers may retain message and usage data on their servers;
- Because text messages are sent and received in “plain text”, they may be intercepted and read by third parties; and
- Phones containing stored messages may be lost or stolen.
Realizing the risks that traditional text messaging presents in the health care setting, some companies have created so-called “HIPAA-compliant,” secure text messaging applications. Doc Halo, TigerText, and Sprint Enterprise Messenger are just a few examples. Promoting these apps as “HIPAA-compliant” is a dangerous assertion because, as noted above, HIPAA compliance is a system of safeguards – not one feature of a particular app or device. If covered entities do approve staff and provider text messaging (whether internally, with patients, or both), the risks must be considered as part of the organization’s HIPAA compliance analysis. Check back for more information on how to evaluate the pros and cons of texting in the health care industry.
McBrayer, McGinnis, Leslie & Kirkland, PLLC