The increased use of personal mobile devices by healthcare professionals to transmit and receive electronic protected health information (ePHI) raises the question “is SMS HIPAA compliant?”
Recent changes to the Health Insurance Portability and Accountability Act (HIPAA) resolved some of the confusion about HIPAA compliance and SMS, and this article aims to simplify and summarize those changes.
The HIPAA regulations regarding SMS are fairly clear – if you are transmitting any form of ePHI, it should be done through a secure messaging system which complies with HIPAA Privacy Rule.
The HIPAA Privacy Rule applies to providers of health plans (insurers and employers included), health care clearinghouses (including administrators and brokers), and to any healthcare profession who transmits ePHI – ePHI being defined as “any information about health status, provision of health care, or payment for health care that can be linked to a specific individual”.
There are eighteen different “identifiers” which could link specific information to an individual´s identity and, even though these identifiers should be encrypted and stored in a secure database, should any of them be transmitted over an open cell phone network or in an area of publicly-accessible Wi-Fi, the sender would be in breach of the HIPAA regulations regarding SMSs and face criminal and/or civil legal action.
In order for an SMS to be HIPAA compliant, both the sender and the recipient should be authorized users of a secure messaging system which enables them to access and transmit ePHI as required. With a secure messaging platform, all messages are encrypted and do not have the security risks associated with standard messaging systems, aka SMS. The secure messaging system must be capable of removing users and remotely deleting messages sent within the application in case a personal mobile device is lost, replaced or stolen. The application must also provide system administrators with the ability to gather audit logs to adhere to best practices policy for HIPAA compliance and SMS.
Further conditions that need to be fulfilled before an SMS is HIPAA compliant include:
The use of standard texting or SMS in a healthcare setting makes it impossible to adhere to the HIPAA regulations regarding SMS; and the most practical way of dealing with these issues is to utilize a secure messaging system to encrypt all messages and maintain confidentiality of your patients’ information.
Authorized users of the secure messaging systems will find that sending secure text messages follows a process very similar to “regular” texting or SMS; and healthcare professionals should have no difficulty in understanding how to use the system, and how to attach documents (such as lab results) or images (of an injury) to their secure communications.
Pre-determined “message lifespans” can be set for communications containing ePHI in order that they are deleted automatically when they are no longer required, and administrators will be able to monitor HIPAA compliance and SMS via automatically generated read receipts and the previously mentioned audit logs.
TigerConnect provides secure, real-time mobile messaging for the enterprise, empowering organizations to work more securely. TigerConnect’s encrypted messaging platform keeps communications safe, improves workflows, and complies with industry regulations.