The answer to the question “is texting a violation of HIPAA” is more complicated than a straightforward “yes” or “no”. Texting between healthcare professionals has become an everyday event due to the convenience and speed at which data can be sent and received on personal mobile devices, but whether or not a text message is in compliance with HIPAA depends on what is contained within the message and how it is communicated.
The HIPAA Security Rule lists a number of personal “identifiers” relating to a patient´s healthcare or healthcare payments, which should be maintained in encrypted form on a secure server and only ever communicated within a private network by authorized users.
Procedures must be established so that texting between healthcare professionals is monitored, and mechanisms introduced to retract and delete messages which could result in a breach of electronically protected health information (ePHI). Finally, policies must be developed and implemented so that employees are given guidelines to avoid texting in violation of HIPAA.
Secure messaging solutions help avoid texting in violation of HIPAA by only allowing authorized users access to the data via a secure and encrypted mobile application or secure web portal, once they have authenticated their ID with a unique username and password.
Once they are logged in, the communication of ePHI is straightforward. The application for secure messaging has a text-like interface to help clinical staff easily integrate the solution into their daily workflow. Texting via secure messaging application is just as convenient and quick as standard text messaging, with the primary difference being that the ePHI in transit remains within the defined private network and is unlikely to be compromised.
Nonetheless, it is vital that texting between healthcare professionals is monitored, and the secure messaging solution automatically produces access reports and audit logs to enable system administrators to monitor activity and reduce the risks of an ePHI breach. Should a potential breach be discovered, the administrator has the ability to remotely remove any authorized user from the system or retract any communicated message for further security.
Finally, healthcare organizations must develop best practice secure messaging policies to guide employees on the correct use of the secure messaging solution and to advise them of the sanctions that could be imposed if an individual conducts texting in violation of HIPAA. The secure messaging policies should be reviewed frequently – and amended as necessary – to address changes in the way mobile devices are used in a healthcare environment, and whenever a potential breach of ePHI is identified.
Because of the complexity of the HIPAA Security Rule, we have compiled a free white paper – “Top 8 Secure Messaging Policy Best Practices” – which provides advice on the best practices that should be included in secure messaging policies to ensure the security of all “identifiable” patient information sent or received via a mobile device. We also recommend guidelines for overseeing usage of the solution and integrating a secure messaging policy into existing organizational policies.
You are welcome to contact us with any questions you may have about “when is texting a violation of HIPAA”.