Texting Protected Health Information
How do you handle texting in your organization?
There are two different types of texting. The first type of texting is what we usually accomplish using our phone and carrier and is also known as Short Message Service (SMS). This is the default app on our phone that many people use to send and receive texts every day and is not secure. It should never be used to send EPHI.
The second type is app based and is used by healthcare providers (mostly doctors and nurses) to communicate to one another on patient-related care. It can also be used by providers to communicate with patients and is secure. There are certain requirements that must be met.
To be compliant secure texting needs to meet certain technical standards for HIPAA compliance:
- Encryption of message data in transit and at rest
- Reporting/auditability of message content
- Passcode enforcement
- Permissions management capabilities
If safeguards like these are in place, PHI can be sent with a minimum of risk. Because SMS is an unencrypted channel one might presume an entity cannot send PHI. This is actually not true because encryption is not mandated according to the Security Rules.
Healthcare organizations must determine whether encryption is reasonable and an appropriate safeguard, in protecting PHI. It is possible to use alternative safeguards If encryption is not deemed reasonable and appropriate by the covered.
In 2013 the HIPAA Omnibus Final Rule allowed healthcare providers to communicate PHI with patients through unencrypted e-mail as long as the provider does the following.
- Warn their patients that texting is not secure
- Gain the patient’s authorization
- Document the patient’s consent
This did not clear providers to communicate PHI to one another using unencrypted e-mail. Notably, the rule did not mention anything about SMS, which is somewhat frustrating as SMS is the most widely adopted communication channel. Some interpret the rule as applying to SMS as well because both are unencrypted electronic channels. Others want more clarity.
At a Health Information Management Conference in March of 2017 the OCR director said healthcare providers could text message their patients with PHI. However, the provider must warn the patient that it is not secure. In addition, the provider must obtain and document patient authorization to receive texts.