HIPAA Compliant Texting – What Is It And When Do You Not Need It?

Published on
November 9, 2020

Did you know that violating rules for HIPAA compliant texting can result in fines of $50,000 to $1.5 million per violation?

An individual’s health records are personal and shouldn’t be known to anyone other than healthcare professionals. However, it wouldn’t be fair to restrict these professionals from the convenience of texting either. HIPAA compliant texting rules were introduced to overcome this problem. 

But how do you make sure that your organization complies with these rules when texting?  This post will highlight everything that you need to know.  

What is HIPAA Compliant Texting?

The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for protecting sensitive patient data, primarily in the United States. 

Any organization that deals with protected health information (PHI) must ensure that all the required physical, network, and process security measures are in place and followed. These organizations include:

  • Covered entities (CE) – Organizations that provide treatment, payment, and operations in healthcare. These include healthcare providers, health insurance companies, private practices, etc. 
  • Business associates (BA): Third-party organizations that support covered entities with access to patient information. These include third-party billing companies, cloud service providers, software application providers, etc.  

HIPAA compliant texting is an extension of this act requiring organizations to employ secure messaging apps that ensure the security of electronically protected health information (ePHI) communicated between authorized users. 

HIPAA compliance rules

To fully understand how to achieve HIPAA compliant texting, we need to understand what HIPAA compliance entails. It consists of three rules.

  1. Privacy rule
  2. Security rule
  3. Breach notification rule

Let’s look at them in detail.

Privacy rule

The Privacy Rule establishes a set of national standards for the protection of certain health information. 

These standards dictate the use and disclosure of an individual’s health information by organizations. It also includes norms for an individual’s rights to understand and control how their health information is used. It assures people that their data is adequately protected while being distributed to provide them with high-quality care.

Typically, the “health information” includes: 

  • An individual’s past, present, or future mental health or physical condition 
  • The healthcare being provided to the individual
  • Past, present, or future payment data for the provision of health care

De-identified health information

While the Privacy Rule protects all patient data, it doesn’t apply to de-identified health information. 

De-identified patient data doesn’t include “direct-identifiers” that could otherwise be used to identify the patient from the record. 

There are two ways to de-identify information: 

  1. Safe Harbor method: This requires all 18 personal identifiers to be eliminated.
  2. Expert Determination: This uses the preservation of specific identifiers (usually dates and demographics) combined with an expert’s assurance that they cannot be used to re-identify the patient. 

When it comes to communicating de-identified health information, organizations don’t have to be stringent about selecting HIPAA compliant texting apps. They can use any comprehensive mass texting solution to fulfill their outreach needs.

Security Rule

The Security Rule includes guidelines on what safeguards must be in place to ensure the appropriate protection of electronically protected health information (ePHI). It does not apply to information that is transmitted orally or in writing. 

There are three safeguards that every organization must have to comply with the security rule:  

Administrative safeguardsTechnical safeguardsPhysical safeguards
Security management process: Identifying potential risks to ePHI and implementing security measures to reduce them. Access control. Implementing procedures like unique user identification to ensure only authorized people have access to ePHI.Facility access control: Limiting physical access to facilities while ensuring only authorized personnel are allowed.
Security personnel: Designating a security official responsible for developing and implementing security policies and procedures.Audit controls: Implementing mechanisms to record and examine access and other activity in information systems containing ePHI. Device and media control: Ensuring appropriate procedures to dispose of devices no longer in use and wiping data from devices to be reused. 
Information access management: Limiting access to ePHI only to authorized officials when needed.  Integrity controls: Having appropriate measures in place to ensure ePHI is adequately destroyed during a wipe. 
Workforce training and management: Training workforce members regarding security policies and procedures. This also includes applying appropriate penalties against the workforce who violate the guidelines.Transmission security: Ensuring that the applications in use encrypt data both at rest and during transmission.
Evaluation: Performing a periodic assessment of the security policies and procedures and their effectiveness. 

Breach notification rule

The Breach Notification Rule requires organizations with access to PHI to provide notification, in case of a breach, to:

  • Individuals affected by the breach. They can be notified through direct mail or email. 
  • Secretary of the HHS by filling out and submitting an online breach report. 
  • Media, in case the breach affects over 500 residents of a state or jurisdiction. 

A breach is defined as any unauthorized use or sharing of PHI that jeopardizes a person’s information security and privacy. This breach could occur due to:

  • Unauthorized access by an employee or a third party 
  • A malware attack 
  • Theft of devices containing ePHI  

Notification is not required if the PHI cannot be used or read by the unauthorized personnel (due to the encryption).

Steps to ensuring HIPAA texting compliance

You need to take three key steps to ensure HIPAA compliant texting measures are in place. These include:  

  1. Establishing organizational texting policies
  2. Identifying appropriate vendor requirements to select the right texting solution
  3. Actively monitoring the messaging process and policies

Here’s what each entails. 

Step 1: Texting policies

The first step is to establish organization-wide texting compliance policies that everyone, including business associates, needs to follow. 

The two key factors that HIPAA compliant texting policies must highlight are: 

  1. Defining a text message (including accepted data formats, devices used for communication, etc.) 
  2. Establishing protocols to send and receive ePHI securely.

These policies must be communicated to all stakeholders (employees, associates, etc.) and be available publicly for users to refer to. 

Some standard policies that you must have in place include:

Users should not send text messages with ePHI unless the message is encrypted during transit and at rest. 

At no point should the message be decrypted and stored by the texting application in use.

Both the sender and the receiver’s devices must fulfill the encryption requirements for the message in transit and at rest.

All users who wish to send messages containing ePHI must ensure that the IT department approves the texting application.   

The device/texting application being used must be password protected. This feature should never be disabled.

The device/application must be configured to lock automatically after a period of inactivity (typically 5 minutes). 

All text messages containing ePHI should include minimal information necessary for the permitted purpose. Users must avoid using multiple identifiers. 

Report all text messages that are unencrypted or sent to the wrong individual to the HIPAA Security Officer. 

Texting Guidelines

Apart from the above policies, you would also need to set some guidelines for people to follow to ensure HIPAA texting compliance. Some of these guidelines include: 

Confirming the recipient of the text before sending.

Confirming the delivery and receipt of the text message. Avoiding the use of short-forms or text abbreviations.

Reviewing the message and ensuring that the autocorrect function doesn’t alter any information. 

Deleting all texts containing ePHI as soon as the data is no longer needed. 

Based on your organization’s usage and the users, you can add to these policies to ensure HIPAA compliant texting. 

Step 2: Identifying vendor requirements and texting solution

Once you have the policies for the usage in place, the next step is to identify texting solutions. The solution you choose must work in tandem with the policies set for use. 

Typically, organizations looking for a HIPAA compliant texting app must look for solutions that meet the following capabilities: 

Authentication methods: Must provide secure user authentication methods to ensure authorized access.

Password management: Passwords generated must be of sufficient complexities. Secure password change or reset mechanisms must be in place. 

Login monitoring: All login attempts (successful or unsuccessful) must be monitored. The account must lock after a specific number of unsuccessful attempts. 

Automatic log off: The application must log off after a period of inactivity. 

Access control: Users must be able to access only the information they send or receive. 

Unique user identification: All users should be uniquely identified throughout the application so all their activities can be tied back to these ids for auditing purposes. 

Account authorization: Only administrators should be able to create new accounts or add new users. 

Account termination: The administrator can terminate accounts. The terminated accounts should not be able to access the previous messages.  

Audit capabilities: Should log all activities related to user authentication and message access with time stamps. 

Transmission security: The application must encrypt all messages at rest and during transit. 

Protection of data on the device: All the data stored in the mobile device must be encrypted. This also applies to attachments sent through the texts. 

Apart from these key capabilities, other administrative and security requirements that the application must meet include:

Secure notifications – Message notifications displayed should not include any ePHI. 

Remote wipe: Administrators should be able to remotely wipe and revoke access to messages from stolen or lost devices. 

Message life-span: Messages should delete automatically after a specific period.

Standard Integrations

When selecting a texting solution, you don’t just want something secure but also makes communication easy. The clinical communication platform you choose should be able to integrate with: 

  • Phone directories
  • Electronic health records
  • Lab communication devices
  • Picture archiving and communication systems

Lastly, remember to get a Business Associate’s agreement from the vendor. This agreement should include that the vendor has HIPAA compliance measures in place as it applies to them too. 

Step 3: Tracking and Monitoring

Once a texting solution is deployed, it’s critical for organizations to actively monitor whether the measures are in place and maintain HIPAA compliance. 

Generally, this includes monitoring log files and audit information regularly to ensure appropriate use. 

Some common activities that IT administrators should proactively undertake to ensure this include:

Tracking and monitoring administrator activities related to user management, information access, and policies. 

Ensuring that authentication events and audit data are correctly captured.

Making sure that message delivery and read receipts are time stamped. 

Ensuring users are well-versed with HIPAA compliant texting guidelines set by the organization. 

While these steps are essential for secure texting of ePHI, there are some instances where you may not require these policies and measures for communication.

When are HIPAA compliant texting measures not needed?

Simply put, HIPAA compliance rules don’t apply to two types of messages: 

  1. Messages that don’t contain any PHI
  2. Texts with de-identified health information

Typically, the use cases that don’t require HIPAA compliant texting measures include:

1. Appointment reminders

Over 40% of people miss appointments because they forget about it. Sending them appointment reminder texts is a good way to avoid this. To set it up, you will have to: 

  • Set up an SMS opt-in for users. Patients send in a keyword to a shortcode to receive reminders. 
  • Set up a text message autoresponder to send a confirmation that their request has been received.
  • Schedule a text broadcast to all patients who opted-in with the appointment details. 
HIPAA-Compliant-Texting-Reminder

2. Communication to reschedule appointments

Often the time for the appointment may not be suitable for the patient. Giving them the option to reschedule it over text is a way to ensure a good experience. 

Appointment rescheduling is just an extension of reminders. The initial steps remain the same. 

HIPAA-compliant-texting opt-in

If someone opts-in to reschedule, you can continue the conversation in two ways: 

  • Set up automated text messages to confirm their reschedule request. You can collate patients’ data requesting a reschedule and then send them a text blast with a new schedule. 
  • Leverage peer-to-peer texting to communicate with the patient over text and set up a new time. Here’s how it would look like:
HIPAA-compliant-peer-texting

3. Asking patients to call the office

When you need to discuss personal matters with patients, you can send them a text to get them to call you. All you need to do is set up an SMS broadcast to be sent to the patients. 

HIPAA-compliant-texting-call-request

4. Directing patients to secure patient portals

Even though you can’t share a patient’s health information over text, you can use it to direct them to secure portals to access their info. Similar to scheduling calls, all you need to do is set up a text blast with a link to the portal in it. 

HIPAA-Compliant-Texting-Reminder

5. Sending general updates to patients and employees

If your organization wants to keep patients or employees engaged with SMS marketing, you can do that too. This could include sending out updates with:

  • Health tips or alerts
  • Organizational announcements
  • Promotional offers
  • New product/service announcements, etc.
HIPAA-compliant-texting-promotion

When choosing a mass texting software for these uses, make sure to select a comprehensive solution, like CallHub, that offers all the above features. 

Having it all in one solution reduces the complexity of switching between applications to manage different campaigns. Moreover, it also costs less since you’re not paying for multiple apps. 

HIPAA compliant texting apps

Here are some common HIPAA compliant texting apps that you can consider for your organization. 

Remember, while these apps comply with the standard HIPAA rules, they may not cater to your organization’s policies. Hence, it’s recommended that you carefully tally your requirements with their provisions before making a choice. 

To conclude

As more patients and health care providers begin to use smartphones, they expect to avail of its convenience in multiple aspects, including receiving and accessing health information. 

HIPAA compliant texting measures enable that.  

Hopefully, the points above help you understand how to achieve that compliance and ensure your patient’s and organization’s safety.  

Featured image source: National Cancer Institute

Nandhaan Verma Linkedin
Nandhaan is a marketer with nearly 5 years of experience researching & writing about communication for nonprofits, advocacies, & political campaigns. His insights have empowered multiple organizations to streamline communications & drive change.