PHI and HIPAA Compliance for Text Messaging

How to Make Text Messaging of PHI HIPAA Compliant

Regulations within the Health Insurance Portability and Accountability Act (HIPAA) were enacted in 2013 which relate to safeguarding the integrity of PHI and HIPAA compliance for text messaging. These new regulations were introduced to reduce the number of PHI breaches being reported to the US Department of Health and Human Services Office for Civil Rights, which were mostly attributed to the increased use of personal mobile devices in the workplace.

The new regulations not only increase the security and privacy levels that have to be adhered to, but widen the scope of the Act to include associates, subcontractors and third-party service providers to the healthcare industry. This article summarizes some of the new legislation, who it applies to and the policies that should be introduced in order that the text messaging of PHI is HIPAA compliant. H2: The Rules for Texting PHI in Compliance with HIPAA

The rules for texting PHI in compliance with HIPAA “require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against unauthorized access to PHI.” The “policies and procedures” fall into three categories – physical, technical and administrative.

Policies and Procedures for Texting PHI

Physical Requirements

The physical requirements for texting PHI in compliance with HIPAA include that PHI is encrypted both in-transit and at-rest and access to the information is only granted to authorized personnel with designated and unique user IDs. Those with access are not allowed to remove or save the data to an external hard drive (such as a desktop computer or personal mobile device) and have to adhere to policies introduced to safeguard the integrity of PHI and HIPAA compliance for text messaging.

Technical Requirements

In order for the text messaging of PHI to be HIPAA compliant, messaging systems introduced to enable texting PHI in compliance with HIPAA must be able to remotely delete text messages in the event that they are sent to the wrong person or when an authorized user´s mobile device is stolen lost or otherwise misplaced. They must also secure against the unauthorized interception of messages that are transmitted over an open cell phone network or received over Wi-Fi. H3: Administrative Requirements The administrative requirements for safeguarding the integrity of PHI and HIPAA compliance for text messaging revolve around creating privacy and security policies which instruct authorized personnel on the best practices for the text messaging of PHI so that it is HIPAA compliant. Administrators should also oversee the use of a text messaging system (through audit logs) and review existing policies to account for changing work practices, technological advances and revised legislation.

Who do the Rules Apply To?

In addition to enacting regulations with regard to safeguarding the integrity of PHI and HIPAA compliance for text messaging, the scope of the Act has also been extended to include associates, subcontractors or any third-party service provider who have access to PHI. Consequently any healthcare organization engaging the services of an associate, a subcontractor or a third party service provider now must have them sign a BA, mandating regulations to safeguard PHI and help further prevent breaches from their contracted providers.

If a breach of PHI occurs due to the associate violating the terms of the contract, having the ability to remove users from the system and remotely delete text messages will enable the healthcare organization to avoid a fine of up to $50,000 provided the compromised data is retrieved from the associate in good time.

The TigerText Solution for Texting PHI in Compliance with HIPAA

TigerText´s secure texting solution allows authorized personnel to access PHI through a secure closed network on most mobile devices or via the web.

The secure texting system meets all the physical and technical requirements to safeguard the integrity of PHI and HIPAA compliance for text messaging, and automatically generates audit logs to assist administrators with their obligations under the administrative requirements.

The secure texting system has been purposefully developed to function in much the same way as SMS messaging in order that users will have no difficulty in operating within the system and adhering to “best practice” policies that are introduced for texting PHI in compliance with HIPAA.

Creating Policies so that the Text Messaging of PHI is HIPAA Compliant

One of the most important considerations for the HIPAA compliant text messaging of PHI is to create best practice policies which authorized users will understand and adhere to. This is often difficult in a medical environment where so many other policies already exist.

Consequently we have compiled a white paper – “Top 8 Secure Messaging Policy Best Practices” which you are invited to download and read to assist with the creation of policies for texting PHI in compliance with HIPAA that will compliment company policies already in place.

Our white paper provides information about developing a policy so that the text messaging of PHI is HIPAA compliant and suggests eight components that should be included in the implementation and usage of a secure texting solution. We believe you will find it an invaluable asset in safeguarding PHI and HIPAA compliance for text messaging.