HIPAA Guidelines for Texting

The New HIPAA Messaging Guidelines

New HIPAA messaging guidelines were introduced in the “Final Omnibus Rule” of March 2013 which have implications for healthcare professions, health insurance companies and employers who provide HIPAA-covered health insurance to their employees.

For the first time ever, the HIPAA SMS guidelines also apply to “business associates” (vendors such as fund administrators, brokers and managers) who must now sign a Business Associate Agreement to access the patient health information they need to run their businesses efficiently.

The new HIPAA guidelines for texting became effective in September 2013 to allow sufficient time for organizations and individuals to revise their existing Business Associate Agreements and for policies and procedures to be revised
where necessary.

Why Were New HIPAA SMS Guidelines Needed?

New HIPAA SMS guidelines were needed to eliminate the risk of patient health information being breached during the transmission or receipt of sensitive data, or while such data was maintained on a mobile device (cell phone, tablet, smartphone etc.).

Research had shown that more than 80 of physicians use mobile devices to communicate with their patients or access patient health information, while a further study revealed that 66 percent of patient health information breaches were attributable to mobile devices being lost or stolen.

The potential for breaches of patient health information has increased significantly since the original Health Insurance Portability and Accountability Act was enacted in 1996, when issues such as the following may not have
been considered:

  • Few mobile device owners use passwords to protect sensitive information stored on their mobile devices. The lack of security on many mobile devices raises the risk of any patient health information stored on it to
    be compromised.
  • Sensitive data that has been transmitted or received on personal mobile devices is rarely encrypted. Consequently anybody who finds or steals the mobile device could access the information stored on it.
  • Mobile device owners who communicate with patients or transmit/receive patient health information are at risk of their communications being intercepted and compromised when they use public Wi-Fi or unsecured
    cellular networks.

Consequently the new guidelines for texting have brought the existing Health Insurance Portability and Accountability Act 1996 (HIPAA) up to date and revised the Health Information Technology for Economic and Clinical Health Act 2009 (HITECH) to account for advances in technology and changes in clinical work practices.

It is important to note that the HIPAA messaging guidelines “require appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic patient health information” and that the failure to comply with the HIPAA guidelines for texting can result in criminal and/or civil legal action.

What are the New HIPAA Guidelines for Texting?

Breaches of patient health information are of the biggest concern to the Office of Civil Rights (a branch of the US Department for Health and Human Services) who, since the Breach Notification Rule was introduced in 2009, has recorded breaches of patient health information affecting more than 22.8 million patients.

The major issue which is hoped to be solved by the introduction of new HIPAA SMS guidelines is to control who has access to patient health information and what they do with it – hence the new HIPAA guidelines for texting now also applying to business associates.

The focus of the HIPAA SMS guidelines is to protect patient privacy, but there are some other points within the Final Omnibus Rule that all organizations and persons who have access to patient health information should be aware of:

  • The new HIPAA guidelines for texting prohibit the marketing or selling of patient health information without getting permission beforehand from the patient.
  • Patients have the option of withholding details of any healthcare they have paid for privately from a health insurance company.
  • Organizations have to conduct risk assessments periodically to ensure that they comply with the latest HIPAA SMS guidelines.
  • Organizations and persons with access to patient health information should also amend their reporting procedures in the event that a suspected security breach occurs.
  • Patients (and in certain circumstances the Office of Civil Rights) must be notified within 60 days if a breach of patient health information is discovered.

How to Comply with the New HIPAA Messaging Guidelines

The simplest way of complying with the new HIPAA text messaging regulations is to take advantage of the secure messaging platform from TigerText. TigerText enables organizations and individuals to communicate via a secure virtual private network which fully complies with the new HIPAA messaging guidelines and ensures the integrity of patient health information.

TigerText´s secure messaging platform is a cloud-based software application which requires no hardware or training before users can start communicating via the program, and it also provides users with instant notification once messages have been received and read to save time on follow-up calls/SMSs to ensure that communications have been understood.

If you would like to know more about TigerText´s secure messaging platform – and how it complies with the HIPAA guidelines for texting – you are invited to download our white paper Top 7 HIPAA Omnibus Preparations Brief which will provide more information about both the Final Omnibus Rule of March 2013 and how you can avoid any unintended breach of patient health information.

  • Few mobile device users have password protection on sensitive information stored on the mobile devices. The lack of (applied) encryption on mobile devices raises the issue that any user of the device could access protected health information stored on it.
  • Typically, protected health information transmitted, received or maintained on personal mobile devices is not encrypted. Consequently anybody in possession of the mobile device could access the data stored on it.
  • Cell phones, smartphones and tablets that use public Wi-Fi or unsecured cellular networks to communicate with patients or transmit/receive protected health information are at risk of their communications being intercepted and compromised.

It is important to note that the HIPAA text messaging regulations contained within the Security Rule section of the Act “requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronically transmitted protected health information.”

How To Comply With The New HIPAA Text Messaging Regulations

The most secure way of complying with the new HIPAA text messaging regulations is to integrate the secure messaging platform from TigerText into your existing channels of communication. TigerText enables users to communicate via a secure virtual private network which fully complies with the new HIPAA text messaging regulations.

The TigerText secure messaging platform is a cloud-based software application which requires no hardware or installation before users can start using the program, and it quietly replaces existing channels of communication with an encryption process which ensures the integrity of protected health information.