There has been much confusion regarding the texting of Protected Health Information. We hope to clarify this situation with a review of recent statements from HHS and the Technical Safeguards of the HIPAA Security Rule and demonstrate that under appropriate circumstances texting is not in violation of HIPAA.
Under most circumstances it is permissible to text provided that the content of the message sent does not contain “personal identifiers”. Unfortunately this can be rather limiting. The Office for Civil Rights or OCR with HIPAA oversight did not produced guidance on texting protected health information for a long time which had frustrated healthcare providers.
In 2013, the HIPAA Omnibus Final Rule allowed healthcare providers to communicate Electronic Protected Health Information (ePHI) with patients through unencrypted email as long as the provider adhere to the following:
- The patient recognizes the email service is not secure,
- The patient is advised of the risk of unsecured email,
- The provider documents the patient’s consent.
The Rule did not address text messaging.
The recently introduced Information Blocking Policy recognizes the importance of sharing electronic protected health information with patients in a timely fashion.
Text Messaging Patients
At an HIMSS health IT conference in 2018, Roger Severino, Director of the US Department of Health and Human Services Office for Civil Rights (OCR) said that health care providers may share Protected Health Information (PHI) with patients through standard text messages.
To do so providers must:
- warn their patients that texting is not secure
- gain the patients’ authorization
- document the patients’ consent
The 2013 OCR guidance for e-mails, and Severino’s announcement about text messages, only applies to communications with patients. All HIPAA Covered Entities and Business Associates are still forbidden to use unsecure communications tools to communicate with each other.
Communicating with Healthcare Team
In order to communicate safely with other covered entities or business associates there must be appropriate safeguards in place. These are spelled out in the Technical Safeguard section of the Security Rule. Most of the safeguards mentioned are necessary to ensure safe texting of PHI. An organization must consider each of the following to be able to text PHI safely.
- First, the organization must assign a unique name and/or number for identifying and tracking user identity.” A unique user identifier allows an entity to track specific user activity when that user is logged into an information system.
- All apps that give access to PHI must have an automatic logoff that terminate an electronic session after a predetermined time of inactivity.” This prevents unauthorized individuals from access to the PHI if the app is left open.
- The rule states where this implementation specification is a reasonable and appropriate safeguard for a covered entity, the covered entity must: “Implement a mechanism to encrypt and decrypt electronic protected health information.” In most circumstances today it would be reasonable to apply this safeguard. The use of encryption can be very helpful.
- The HIPAA Security Rule requires that covered entities and their business associates implement comprehensive audit controls that Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.” There must also be reporting procedures to document and review activity related to the use of PHI.
- An entity must protect the integrity of PHI during transmission “the data that is sent is the same as the data received”.
- There must also be a mechanism to authenticate electronic protected health information. It is reasonable to implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.
- There must be a person or entity authentication by “Implementing procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.”
- Integrity controls are measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.”
- Finally there should be transmission security using security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.”
By following the above guidelines from the Security Rule an organization who uses text messaging can be assured they are in compliance with HIPAA and are not creating a violation. Presently there are several vendors that can provide healthcare organizations a platform which will safely allow the texting of PHI. In addition there are many applications available that will allow entities to safely email PHI to the intended organization.
Computerized Provider Order Entry
Regardless of the platform, CMS prohibits the practice of texting of patient orders. The provider is not in compliance with the Conditions of Participation or Conditions for Coverage if he or she texts patient orders to a member of the care team. Providers should opt for the use of Computerized Provider Order Entry (CPOE) as the preferred method of order entry. CMS insists that a physician or Licensed Independent Practitioner (LIP) should enter orders into the medical record via a handwritten order or via CPOE. When using this system, orders are immediately downloaded into the provider’s electronic health records (EHR). Moreover, this method is preferred as the order would be dated, timed, authenticated and promptly placed in the medical record.
In summary it is possible to use unsecure text messaging with patients as long as the appropriate arrangements are made between both parties. The same applies to email messaging. If an organization wants to send PHI to a covered entity or business associate the guidelines noted in the Security Rule will ensure compliance with HIPAA