HIPAA Laws and Texting

New HIPAA Guidelines and Texting Practices

The Final Omnibus Rule of March 2013 introduced new HIPAA laws and texting practices to update the existing Health Insurance Portability and Accountability Act 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act 2009 (HITECH).

These new HIPAA rules and texting practices apply to healthcare workers, health insurance providers and employers who provide health insurance for their employees covered by HIPAA, and – for the first time – third-party service providers to the health insurance industry (also known as “business associates”).

Why the Concern about HIPAA Rules and Texting?

The new legislation was introduced to reduce the risk of personal health information being compromised during the sending or receipt of patient data via text messages, or while personal health information was stored on a mobile or portable device (tablet, smartphone, cell phone, etc.).

Studies had indicated that more than 80 percent of healthcare workers use mobile or portable devices to access personal health information and communicate with each other about their patients, while more recent research revealed that 66 percent of security breaches reported to the United States Department for Health and Human Services over the past two years were due to mobile devices being lost or stolen.

As the potential for personal health information breaches had increased significantly due to technological advances and changes in working practices since the original Health Insurance Portability and Accountability Act was brought into law in 1996, new HIPAA laws and texting practices were introduced to address issues that may not have been considered when the original Act was enacted almost two decades ago:

  • The changed HIPAA safeguards about texting identified the risk of mobile device owners accessing personal health information on their tablets or Smartphones, or communicating with patients via text messages, and being at risk of having sensitive information compromised when they use unsecured cellular networks or public Wi-Fi.
  • The revised HIPAA guidelines about texting address the lack of security on many mobile devices, as few mobile device owners use passwords to secure sensitive information stored on their mobile devices.
  • The new HIPAA rules about texting also deal with the fact that sensitive patient information is transmitted by text to or from personal mobile devices which is rarely encrypted. If unencrypted text messages are not deleted once they have been sent or received, any person who steals or finds the mobile device would have access to the personal health information stored on it.

It is important to note that the new HIPAA laws about texting “require appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information” and the failure to comply with the new legislation could result in criminal and/or civil charges being brought.

The number of personal health information breaches that have been recorded since 2009 are of particular concern to the Office of Civil Rights (part of the United States Department for Health and Human Services). The office has recorded security breaches affecting more than 22.8 million patient records and, as mentioned above, 66 percent of those were attributable to lost or stolen mobile devices.

What are the New HIPAA Safeguards about Texting?

The major issue which is hoped to be resolved by the new HIPAA safeguards about texting is controlling who has access to personal health information, how it is communicated and how it is maintained securely when it is received on a mobile device. As business associates would also need access to personal health information in the course of their business, this is the reason why they have been included in the new HIPAA rules and texting regulations.

The new HIPAA laws and texting regulations focus primarily on protecting patient privacy: but there are also other regulations within the Final Omnibus Rule that all organizations and individuals who have access to personal health information should be conscious of, in the event that sensitive data appears to have been compromised:

The new HIPAA laws about texting ban the selling or marketing of personal health information without obtaining prior permission from patients.

  • Patients now have the right to withhold details of any healthcare they have financed privately from the insurance company that covers their health insurance policy.
  • Patients (and in certain cases the Office of Civil Rights) must be told within sixty days if a breach of personal health information is discovered which affects them.
  • Organizations have the responsibility to conduct periodic risk assessments to make sure that they comply with the HIPAA guidelines for texting.
  • Organizations and individuals with access to personal health information also have to amend their texting policies and reporting procedures when a suspected security breach is discovered.

Comply with the HIPAA Laws and Texting Guidelines

The most straightforward way of complying with the new HIPAA laws and texting guidelines is to have all mobile device users within your organization use the secure messaging platform from TigerText. TigerText´s secure messaging platform is a cloud-based SaaS software application (“software as a service”) that requires no user training or complex integration before compliance with the HIPAA rules about texting is assured.

The TigerText platform allows organizations and individuals to send and receive text messages containing sensitive patient data via a secure virtual private network, which fully complies with the new HIPAA safeguards and texting guidelines and ensures the integrity of personal health information.

Furthermore, the TigerText secure messaging platform increases efficiency among individuals who use the network as a confirmation system, relaying when text messages have been received and read, which saves time on follow-up calls and secondary text messages between individuals who are using the system.