HIPAA Compliance and SMS
The increased use of personal mobile devices by healthcare professionals to transmit and receive electronic protected health information (ePHI) raises the question “is SMS HIPAA compliant?”
Recent changes to the Health Insurance Portability and Accountability Act (HIPAA) resolved some of the confusion about HIPAA compliance and SMS, and this article aims to simplify and summarize those changes.
HIPAA Regulations Regarding SMS
The HIPAA regulations regarding SMS are fairly clear – if you are transmitting any form of ePHI, it should be done through a secure messaging system which complies with HIPAA Privacy Rule.
The HIPAA Privacy Rule applies to providers of health plans (insurers and employers included), health care clearinghouses (including administrators and brokers), and to any healthcare profession who transmits ePHI – ePHI being defined as “any information about health status, provision of health care, or payment for health care that can be linked to a specific individual”.
There are eighteen different “identifiers” which could link specific information to an individual´s identity and, even though these identifiers should be encrypted and stored in a secure database, should any of them be transmitted over an open cell phone network or in an area of publicly-accessible Wi-Fi, the sender would be in breach of the HIPAA regulations regarding SMSs and face criminal and/or civil legal action.
When is an SMS HIPAA Compliant?
In order for an SMS to be HIPAA compliant, both the sender and the recipient should be authorized users of a secure messaging system which enables them to access and transmit ePHI as required. With a secure messaging platform, all messages are encrypted and do not have the security risks associated with standard messaging systems, aka SMS. The secure messaging system must be capable of removing users and remotely deleting messages sent within the application in case a personal mobile device is lost, replaced or stolen. The application must also provide system administrators with the ability to gather audit logs to adhere to best practices policy for HIPAA compliance and SMS.
Further conditions that need to be fulfilled before an SMS is HIPAA compliant include:
- The secure messaging system must be able to prevent authorized users from saving ePHI to any external storage device including their personal mobile devices or desktop computers.
- Organizations must conduct frequent risk assessments to ensure the integrity of ePHI – especially when new working practices are introduced or as technology advances.
How to Comply with HIPAA Regulations regarding SMS
The use of standard texting or SMS in a healthcare setting makes it impossible to adhere to the HIPAA regulations regarding SMS; and the most practical way of dealing with these issues is to utilize a secure messaging system to encrypt all messages and maintain confidentiality of your patients’ information.
Authorized users of the secure messaging systems will find that sending secure text messages follows a process very similar to “regular” texting or SMS; and healthcare professionals should have no difficulty in understanding how to use the system, and how to attach documents (such as lab results) or images (of an injury) to their secure communications.
Pre-determined “message lifespans” can be set for communications containing ePHI in order that they are deleted automatically when they are no longer required, and administrators will be able to monitor HIPAA compliance and SMS via automatically generated read receipts and the previously mentioned audit logs.
Benefits of HIPAA Compliance and SMS
Addressing the question “is SMS HIPAA compliant?” has resulted in significant benefits for organizations, healthcare professionals and patients alike; with one study conducted by the Ponemon Research Institute concluding that hospitals could save on average $557,253 each year just on the time saved managing patient discharges by secure text messaging as an alternative to SMS.
Our own case studies have shown benefits attributable to secure messaging systems enabling time-saving access to PHI across various platforms and devices; resulting in doctors being able to receive PHI “on the go” by secure text messaging systems instead of SMS, technicians being able to deliver lab results quicker with an SMS alternative, and nurse-to-doctor communications being enhanced due to secure texting.
Secure communications which relate directly to patient´s healthcare can be uploaded automatically onto the patients´ Electronic Medical Records (EMRs) – increasing efficiency within healthcare organizations – and these details can then be accessed remotely by emergency personnel, by medical facility staff, or when healthcare is being supplied in a home environment (provided the service providers are authorized to access the secure messaging system).