Is Text Messaging HIPAA Compliant?

Keep Communication of PHI Compliant and Secure with Secure Texting

Recent changes to the Health Insurance Portability and Accountability Act 1996 have raised the question is texting HIPAA compliant. The simple answer is that text messaging is HIPAA compliant under certain circumstances and provided that “administrative, physical and technical safeguards [exist] to ensure the confidentiality, integrity, and security of electronically stored or transmitted private health information.”

This article provides an overview of the safeguards required to ensure that any text messages sent, received or stored on a mobile device comply with the new HIPAA regulations. Know the answers to the question “is texting HIPAA compliant?”

Who Do the New Regulations Apply To?

The new HIPAA regulations apply to healthcare professionals, insurance companies who provide health insurance, employers who operate an HIPAA-covered healthcare scheme and any third party service providers who have access to private health information.

All organizations have a duty to ensure that employees, brokers, administrators and sub-contractors conform to the new HIPAA regulations, to train all relevant members of staff on the procedures that should be used when communicating sensitive patients´ data, and to educate on the consequences of data breaches and HIPAA violations.

The failure to establish whether texting is HIPAA compliant in your particular environment, and comply with the new rules regarding HIPAA and data security, could result in criminal charges being brought by the Office of Civil Rights – or civil legal action being initiated by a patient – if sensitive private health information is compromised.

When is Texting HIPAA Compliant?

The revisions to the Health Insurance Portability and Accountability Act 1996 acknowledged that changes in workplace practices and technological advances meant that private health information is more commonly being communicated and accessed using mobile devices such as smartphones, cell phones and tablets.

The potential for data being compromised in the workplace or in places of public access is vast due to individuals using public Wi-Fi or open cell phone networks. There is also the risk that private health information could be compromised when a mobile device is stolen, lost or sold, and consequently texting is only HIPAA compliant when the following conditions are met:

  • When organizations that maintain private health information have developed processes and procedures to contain who has access to private health information and control over how it is used.
  • When risk assessments have been periodically conducted to identify any threat to the integrity of sensitive patient data and procedures have been established to address any breach that may occur
  • When encryption and physical data protection is in place for individuals who use their personal mobile devices to communicate private health information or to access sensitive patient data in the course of their work.
  • When policies are in place to cover the scenarios in which mobile devices are lost or stolen, or if the owner wishes to dispose of their mobile device, so that private health information can be deleted remotely (¹).
  • When a system has been put in place to ensure that private health information cannot be maintained on the local storage facility of mobile devices used by employees and sub-contractors.

(¹) When private health information has been breached, but the encrypted data can be deleted remotely, it will not be necessary to notify the patient or Office of Civil Rights provided that the data is removed in a timely manner.

Keeping Text Messaging HIPAA Compliant

Keeping text messaging HIPAA compliant is done by “secure texting” – a process in which encrypted messages are transmitted from a secure server which stores all sensitive data locally, and which prevents the cell phone network that carries the message from keeping a copy. Secure messages can be accessed at any time in any location where there is an Internet connection, unless they have been programmed to expire automatically or recalled to protect the integrity of private health information.

The owner of the mobile device can still use their Smartphone, cell phone or tablet to access personal SMSs, emails and social media communications but, to keep text messaging HIPAA compliant, sensitive information will be sent and received using the secure virtual private network. Compliance with HIPAA is assured, as a secure texting administrator has the option to remove a user from the network, and delete any sensitive data they may have had access to, if a risk to the security of private health information is identified.

How TigerText Keeps Texting HIPAA Compliant

TigerText´s secure messaging platform keeps text messaging HIPAA compliant by using a secure, cloud-based application, which does not require the download of any software to operate and is simple to use. Most employees or sub-contractors will be able to text and stay HIPAA compliant without any training on how to use the application – although it is still vital that they are educated about the consequences of failing to protect the integrity of private health information.

The TigerText secure messaging system meets all the criteria required to use text messaging and be HIPAA compliant at the same time, and offers additional benefits which can increase the efficiency of the professionals in your
work environment:

  • TigerText offers the facility for multiple users to collaborate, so that a team of healthcare professions could all be involved in a single discussion despite being miles apart.
  • Efficiency within an organization can be increased when TigerText is used on personal mobile devices to eliminate waiting times before personnel log into messaging accounts.
  • The use of TigerText on personal mobile devices also eliminates delays while personnel find an available workstation to access messages or the private health information they require.
  • With TigerText´s message read receipts, it is no longer necessary to follow up message recipients to see if messages have been received and read.
  • Administration controls and usage reports help maintain control over the flow of private health information and ensure compliant usage by all personnel – again saving time and increasing efficiency.