Why Were New HIPAA SMS Guidelines Needed?
New HIPAA SMS guidelines were needed to eliminate the risk of patient health information being breached during the transmission or receipt of sensitive data, or while such data was maintained on a mobile device (cell phone, tablet, smartphone etc.).
Research had shown that more than 80 percent of physicians use mobile devices to communicate with their patients or access patient health information, while a further study revealed that 66 percent of patient health information breaches were attributable to mobile devices being lost or stolen.
The potential for breaches of patient health information has increased significantly since the original Health Insurance Portability and Accountability Act was enacted in 1996, when issues such as the following may not have
been considered:
- Few mobile device owners use passwords to protect sensitive information stored on their mobile devices. The lack of security on many mobile devices raises the risk of any patient health information stored on it to
be compromised.
- Sensitive data that has been transmitted or received on personal mobile devices is rarely encrypted. Consequently anybody who finds or steals the mobile device could access the information stored on it.
- Mobile device owners who communicate with patients or transmit/receive patient health information are at risk of their communications being intercepted and compromised when they use public Wi-Fi or unsecured
cellular networks.
Consequently, the new guidelines for texting have brought the existing Health Insurance Portability and Accountability Act 1996 (HIPAA) up to date and revised the Health Information Technology for Economic and Clinical Health Act 2009 (HITECH) to account for advances in technology and changes in clinical work practices.
It is important to note that the HIPAA messaging guidelines “require appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic patient health information” and that the failure to comply with the HIPAA guidelines for texting can result in criminal and/or civil legal action.