SMS-Messaging Patients is Easy – But is it HIPAA Compliant?

  • Mr. Bedman, a new homecare patient, isn’t feeling well.  So his daughter texts a nurse at his physician’s office.

  • The nurse texts back with questions about symptoms and activity levels, and receives a reply prompting the nurse to consult with the doctor.

  • After a few moments the nurse returns a text to the daughter with instructions and a medication dosage change.

  • The following morning the nurse texts the daughter once again to follow up with the patient’s condition.

And just like that, everyone caring for Mr. Bedman is kept in the loop with a few quick texts:  No phone tag, no lengthy delays in response times and information can be passed on with just a few strokes and clicks.  In addition, both the daughter and the patient appreciate the instant support they feel simple SMS text messaging provides when they need medical help.

In addition, medical professionals attribute better patient compliance with care plans and therefore better outcomes to the immediate attention patients receive in text messages. Texting may even diminish emergency room visits and hospitals stays due to the early intervention in health conditions before those conditions are exacerbated into 911 calls.  So it is no wonder that almost all healthcare workers have used their personal devices to send or receive patient information, even to and from the patients themselves.

But is Texting HIPAA Compliant?

Is there a HIPAA compliance problem when sending SMS texts from our phones?

Yes.  Remember that the government considers any communication regarding care or condition connected to a patient qualifier, such as a person’s name, as electronically protected health information, or ePHI.  “SMS” stands for “short message service”, not “secure message service”. According to the government, therefore, the problem with texting is that it is not secure:

  • There is no way to verify that the intended recipient was in fact the reader of the text.
  • Messages cannot be prioritized or separated from non-work related texts.
  • The text, including all information found in or attached to the text, is stored in places outside of the healthcare provider’s control, making it relatively easy for others to intercept it.

All of these issues are a red flag according to HIPAA regulations, and penalties are steep:  Up to $50,000 per violation per day with a maximum of $1.5M per calendar year.

Texting in violation of HIPAA is a major problem for healthcare organizations according to the HIPAA Journal. Healthcare organizations that ignore texting in violation of HIPAA can also face civil charges from the patients whose data has been exposed if the breach results in identity theft or other fraud.

In our homecare scenario above, how many potential violations do you count?

Not All Texting is Out of Compliance, But...

Fortunately not all texting constitutes a violation of HIPAA, whether between medical professionals or to the patients themselves. But policies and systems must be put into place to protect ePHI from a data breach or security hacks. In essence, texting patients must take into account at least the following overarching safeguards:

  1. Messages must be automatically encrypted to HIPAA standards to prevent unauthorized access to ePHI. Furthermore, encryption must work across multiple platforms such as desktop computers, tablets and Apple or Android cell phones, including whatever device the patient is using.
  2. Even for a patient’s personal cell phone, administrators must be able to remotely lock the secure messaging app and delete any communication should a smartphone become lost or stolen. Therefore, even with a patient’s permission, healthcare providers cannot text a patient with a general use SMS service.
  3. The system or app used for texting, like all ePHI records, must have audit controls so regulators and administrators can review what happened to protected health information; where it resides, who has access and when and how, if ever, a breach was detected.

It’s Not Enough to Say, “I’ll text you.”

While the above three safeguards are merely the skeleton of HIPAA compliant text messaging, actual fundamentals get into policy and use details that can be quite lengthy and will vary depending upon the healthcare organization.

✓  As with other HIPAA standards, procedures, documentation and training must be addressed.

✓  Several policies must be written for both the medical team and the patients/caregivers.

✓  An infinite amount of decisions must be made as to the texting app, settings and use.

Don’t be afraid to incorporate texting into your systems and practice. Besides the fact text messaging is now how most prefer to communicate, there’s definitely an advantage to incorporating text messaging into patient care and communication. Health information can be shared, the physician/patient interaction can be enhanced and outcomes can be improved at relatively little cost - and it’s all done quickly and easily.

Just make sure you receive the full benefits of text messaging patients without the fear of HIPAA violations and penalties. Let BSC Systems do the due diligence your organization needs to do this correctly and efficiently.