Top Facts about HIPAA Texting
The Health Insurance Portability and Accountability Act (HIPAA) came into being in 1996 with the purpose of ensuring the privacy of data and safeguarding medical information through a set of security provisions. Its three core provisions relate to portability, integration with Medicaid, and simplification of the administration of the Act. Ever since the technology of Short Messaging Service (SMS) was introduced into healthcare, rules relating to what should be sent and how have become a very important component of HIPAA.
There is a misconception that texting is not allowed in HIPAA. Texting is not prohibited under HIPAA, which means that anyone can send text messages about health information. However, one of the top facts about HIPAA texting is that there are reasonable restrictions relating to what should be sent in text format and how. The core objective for HIPAA is to safeguard the integrity of Protected Health Information (PHI) and ensure that it complies with the provisions set out in HIPAA. The laws regarding this are set out in the Privacy and Security Rules.
Why is texting an issue under HIPAA?
If the Department of Health and Human Services, which administers HIPAA, is so clear in its goal, why is there any confusion at all about the provisions relating to texting? This question needs to be put in perspective: A good part of the confusion relating to SMS under HIPAA is attributed to facts that are inherent with the concept of short messaging services:
o Most apps, which healthcare professionals rely on heavily to send PHI, are open and don’t have login and logoff requirements
o The accountability for messages’ origin is very low in SMS since senders have little control over the origin and receipt of messages by SMS
o Identity is a major concern in SMS because anyone who uses somebody else’s phone could send messages
o There is very little trackability of stolen or damaged cellphones that could transmit PHI.
Other sources of confusion
In addition to this, complex legalese used in this text compounds the confusion about HIPAA. In fact, among the top facts about HIPAA texting is that HIPAA does not explicitly mention the word SMS or texting at all; SMS is covered under the rules set out under the broad heading of electronic communication.
This has led to confusion in many cases because rules that apply to certain kinds of electronic communication do not apply to others. Texting is a classic instance of this ambivalence. Since HIPAA has framed very broad guidelines to cover all electronic communication; some of its definitions of phrases are open to subjective interpretation.
Resort to the Privacy and Security Rule
It is to avoid scenarios such as these that healthcare providers who come under HIPAA regulations need to get a thorough understanding of how to safeguard patient information while texting.
The basis for preventing being hauled up by the HHS for privacy violations while texting patient information should be an understanding of what texting HIPAA considers a violation of its Privacy and Security Rule. Business Associates and their Covered Entities, who are required to comply with HIPAA, need to be guided by the HIPAA Security Rule, which defines all the elements of texting including:
o Access controls
o Audit controls
o Transmission security mechanisms when PHI is being transmitted electronically
o Methods for ID authentication
o Integrity controls
Another of the top facts about HIPAA texting is that the HIPAA Privacy and Security Rule considers any message containing PHI that is sent in standard, non-encrypted, non-controlled and non-monitored SMS or IM as violation of its requirements.
Secure Messaging Solutions are the answer
The most viable and acceptable solution is to resort to secure messaging for sending PHI. These are some of the ways by which a Secure Messaging Solution can ensure the security of PHI sent by a HIPAA entity while messaging:
o It encapsulates PHI within a private communications network. This network can be accessed only by authorized users
o Access is through a secure gateway which makes it easy to track and prevent misuse
o SMS containing PHI cannot be sent to email addressed outside the communications network
o After a period of inactivity for a set period of time on the app, it logs off automatically
o Copying and pasting any information contained in the PHI, as well as the feature of saving the data into a hard drive is disabled.
Date Posted: 29 Nov 2018