HIPAA Secure Texting

New Guidelines for HIPAA Compliant Text Messaging

New regulations for HIPAA secure texting were issued in the Final Omnibus Rule of March 2013, to revise legislation formerly enacted in the Health Insurance Portability and Accountability Act 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act 2009 (HITECH), and to increase the level of security applied to protected health information.

The new HIPAA compliant text messaging guidelines aim to eliminate protected health information being compromised during the sending or receiving of sensitive data via SMS – or while protected health information is stored on a mobile electronic device such as a Smartphone, cell phone or tablet. Due to PHI sent by both staff members and any associated parties outside of the organization, the new HIPAA secure text messaging guidelines now apply to third party service providers to the healthcare industry, also known as “business associates”.

The Risk of Protected Health Information Being Compromised

The risk of protected health information being compromised is of great concern to the Office of Civil Rights (a branch of the US Department for Health and Human Services). Since the Breach Notification Act was introduced on 2009, the Office of Civil Rights has recorded breaches of unsecured data affecting more than 22.8 million patient records.

According to figures published by the Center for Democracy and Technology, 66 percent of these security breaches were attributable to mobile electronic devices being either stolen or lost and, as more than 80 percent of healthcare workers now use business-issued or personal mobile electronic devices to communicate with colleagues or to access stored patient health information (according to a survey by the Health Research Institute), the risk of protected health information being compromised is particularly high.

Issues Responsible for New HIPAA Secure Text Messaging Procedures

Several patient security issues were identified which prompted the new HIPAA secure text messaging procedures. Although they primarily related to unsecured information that was accessible when a mobile electronic device was stolen or lost, the new HIPAA secure texting guidelines also cover the transmission of unencrypted data over unsecured cellular networks or public Wi-Fi.

The new HIPAA compliant text messaging rules also “require appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information”. The failure to implement a HIPAA compliant text messaging policy could result in organizations and individuals being prosecuted by the Office of Civil Rights, or facing civil legal action from patients whose health information has been compromised.

What are the new HIPAA Secure Texting Rules?

The new HIPAA secure texting rules mostly focus on protecting patient privacy; but there are also other procedural changes within the Final Omnibus Rule that all organizations and individuals should be aware of in the event that sensitive patient data stored on mobile electronic devices is compromised:

  • Organizations and individuals with access to protected health information have to amend their own HIPAA secure texting policy and, when a suspected security breach is identified, report it within 60 days .
  • Organizations are now obliged to conduct regular risk assessments to ensure they comply with the HIPAA secure texting regulations and attend to any potential breaches of protected health information.
  • These assessments extend to any employees or individuals who may be in breach of the HIPAA secure text messaging guidelines by saving text, voice, picture or video files that may contain protected health information on their device´s local storage facility.
  • Individuals with access to protected health information should also be told to inform their supervisors should their mobile electronic devices be sold, lost or stolen, so that any sensitive data can be remotely removed.

Who do the HIPAA Secure Text Messaging Guidelines Apply To?

The new HIPAA secure text messaging guidelines have the aim of controlling who has access to protected health information, how it is stored on mobile electronic devices and how it is transmitted between authorized persons – usually employers who offer HIPAA-covered health insurance, health insurance companies who store employee´s records on their database and hospital workers and nursing staff who need to access patient data to provide the appropriate healthcare.

As third-party service providers (“business associates” or “vendors”) also require access to protected health information to efficiently conduct their business, they too are included in the new HIPAA secure texting guidelines, and they have a responsibility to ensure the integrity of secure patient data should they sub-contract their duties to another third party.