Regardless of who they’re engaging with, consumers want communication to be as convenient as possible.
In recent times, text messaging has come up as the triumphant communication channel that offers that convenience. Here are some notable stats that prove this:
- 98% of SMS messages are opened (an open rate higher than all other popular channels like emails that only have an open rate of 20%)
- 90% of texts are opened within 3 minutes.
- 70% of customers say SMS is perfect for businesses to get their attention.
It’s no surprise why secure texting is becoming the first choice for sending healthcare data, as per a survey. The keyword here is secure.
So how do you ensure this security? What are the rules that you need to follow? When are these regulations not necessary? This post will be your guide to secure text messaging for healthcare data and answer all these questions.
Why do you need secure text messaging for healthcare?
Any information about an individual’s health status, provision of healthcare, or payment for healthcare is termed as Protected Health Information (or PHI). This information is sensitive, and no one would want it to be leaked, which is why it’s protected by law.
Clearly, to communicate this data, you need a system with security measures to ensure there are no slip-ups. But you also don’t want to miss out on convenience. Hence, the need for secure text messaging for healthcare.
To ensure the strict adoption of these security measures, the United States Federal Statute enacted the Health Insurance Portability and Accountability Act, also known as HIPAA.
HIPAA sets the standard for sensitive data protection, including guidelines to ensure secure text messaging for healthcare data.
What is HIPAA Compliant Texting?
HIPAA compliant texting is an extension of HIPAA. It requires organizations to employ secure messaging apps to ensure the security of electronically protected health information (ePHI) communicated between authorized users.
Any organization that deals with protected health information (PHI) must ensure that all the required physical, network, and process security measures are in place.
These organizations include:
- Covered entities (CE) – Organizations that provide treatment, payment, and operations in healthcare. These include healthcare providers, health insurance companies, private practices, etc.
- Business associates (BA): Third-party organizations that support covered entities with access to patient information. These include third-party billing companies, cloud service providers, software application providers, etc.
Use cases in which HIPAA Compliance texting doesn’t apply
HIPAA compliance texting rules don’t apply to two types of messages:
- Messages that don’t contain any PHI
- Texts with de-identified health information
These texting use cases include:
- Appointment reminders.
- Communication to reschedule appointments.
- Asking patients to call the office/doctor.
- Communication directing patients to secure patient portals.
- Sending general organizational or promotional updates.
- Internal SMS communication that doesn’t include patient discussions or information.
What is de-identified health information?
De-identified patient data doesn’t include “direct-identifiers” that could otherwise be used to identify the patient from the record.
There are two ways to de-identify information:
- Safe Harbor method: This requires all 18 personal identifiers to be eliminated.
- Expert Determination: This uses the preservation of specific identifiers (usually dates and demographics) combined with an expert’s (like a lawyer or your HIPAA security officer) assurance that they cannot be used to re-identify the patient.
If you find that your texting requirements don’t need you to send PHI, try out CallHub for SMS communication. This comprehensive tool offers a range of features like:
Sign up to CallHub for free and take it for a trial run.
HIPAA compliance guidelines
There are three rules under HIPAA that you need to know about.
- Privacy rule
- Security rule
- Breach notification rule
Let’s look at them in detail.
The Privacy Rule dictates the use and disclosure of an individual’s health information by organizations. It also includes norms for an individual’s rights to understand and control how their health information is used.
It assures people that their data is adequately protected while being distributed to provide them with high-quality care.
Typically, the “health information” includes:
- An individual’s past, present, or future mental health or physical condition.
- The care being provided to the individual.
- Past, present, or future payment data for the provision of health care.
The privacy rule doesn’t apply to de-identified health information.
The Security Rule informs safeguards that must be in place to ensure the appropriate protection of electronically protected health information (ePHI).
It does not apply to information that is transmitted orally or in writing.
There are three safeguards that every organization must have to comply with the security rule:
|Administrative safeguards||Technical safeguards||Physical safeguards|
|Security management process: Identifying potential risks to ePHI and implementing security measures to reduce them.||Access control: Implementing procedures like unique user identification to ensure only authorized access to ePHI.||Facility access control: Limiting physical access to facilities.|
|Security personnel: Designating officials responsible for developing and implementing security procedures.||Audit controls: Implementing methods to record and examine access to information systems containing ePHI.||Device and media control: Ensuring appropriate procedures to dispose of devices no longer in use and wiping data from devices to be reused.|
|Information access management: Limiting access to ePHI only to authorized officials when needed.||Integrity controls: Having appropriate measures in place to ensure ePHI is adequately destroyed during a wipe.|
|Workforce training and management: Training workforce to follow security policies and procedures. This also includes applying appropriate penalties against violators.||Transmission security: Ensuring that the applications in use encrypt data both at rest and during transmission.|
|Evaluation: Performing a periodic assessment of the security procedures and their effectiveness.|
Breach notification rule
The Breach Notification Rule requires organizations with access to PHI to notify the following groups in case of a breach:
- Individuals affected by the breach. They can be notified through direct mail or email.
- Secretary of the HHS by filling out and submitting an online breach report.
- Media, in case the breach affects over 500 residents of a state or jurisdiction.
A breach is defined as any unauthorized use or sharing of PHI that jeopardizes a person’s information security and privacy. This breach could occur due to:
- Unauthorized access by an employee or a third party
- A malware attack
- Theft of devices containing ePHI
A notification is not required if the PHI cannot be used or read by unauthorized personnel (due to encryption).
Steps to facilitate secure text messaging for healthcare organizations
There are three steps to ensuring HIPAA compliant texting measures are in place. These include:
- Establishing organizational texting policies.
- Identifying appropriate vendor requirements to select the right texting solution.
- Actively monitoring the messaging procedures.
Here’s what each entails.
Establishing texting policies
The first step is to establish organization-wide texting compliance policies that everyone, including business associates, needs to follow.
The two key factors that your policies must highlight are:
- Defining a text message (including accepted data formats, devices used for communication, etc.)
- Establishing protocols to send and receive ePHI securely.
These policies must be communicated to all stakeholders (employees, associates, etc.) and be available publicly for users to refer to.
Here are some standard policies that you must have in place:
- Users should not send text messages with ePHI unless the message is encrypted during transit and at rest.
- At no point should the message be decrypted and stored by the texting application in use.
- Both the sender and the receiver’s devices must fulfill the encryption requirements.
- All users who wish to send messages containing ePHI must ensure that the IT department approves the texting application.
- The device/texting application being used must be password protected. This feature should never be disabled.
- The device/application must be configured to lock automatically after a period of inactivity (typically 5 minutes).
- All text messages containing ePHI should include minimal information necessary for the permitted purpose. Users must avoid using multiple identifiers.
- Report all text messages that are unencrypted or sent to the wrong individual to the HIPAA Security Officer.
These policies need to be communicated to your texting application provider.
Texting guidelines for people communicating ePHI
Apart from the above policies, you would also need to set some guidelines for people to follow to ensure HIPAA texting compliance. These guidelines include:
- Confirming the recipient of the text before sending.
- Confirming the delivery and receipt of the text message.
- Avoiding the use of short-forms or text abbreviations.
- Reviewing the text to ensure the autocorrect function doesn’t alter information.
- Deleting all texts containing ePHI as soon as the data is no longer needed.
Identifying vendor requirements and texting solution
Once you have the policies for the usage in place, the next step is identifying texting solutions that align with these policies.
Typically, organizations looking for a HIPAA compliant texting tool must look for solutions with the following features:
- Secure user authentication methods to ensure authorized access.
- Password management to generate passwords of sufficient complexities. Secure password change or reset mechanisms must be in place.
- Login monitoring to monitor all login attempts (successful or unsuccessful). The account must lock after a specific number of unsuccessful attempts.
- Automatic log-off after a period of inactivity.
- Access control to ensure users can only access only the data they send or receive.
- Unique user identification to uniquely identify all users throughout the application and tie back their activities to these ids for auditing.
- Account authorization for administrators to create new accounts or new users.
- Account termination for administrators to terminate accounts. The closed accounts should not be able to access previous messages.
- Auditing features to log all activities related to user authentication and message access with time stamps.
- Transmission security to encrypt all messages at rest and during transit.
- Protection of data on the device to encrypt all the data stored in the mobile device. This also applies to attachments sent through the texts.
- Secure notifications that ensure the message notifications don’t display any ePHI.
- Remote wipe for administrators to remotely wipe and revoke access to messages from stolen or lost devices.
- Message life-span to ensure messages delete automatically after a specific period.
Apart from the security, the texting solution you choose should also make communication easy by integrating with:
- Phone directories
- Electronic health records
- Lab communication devices
- Picture archiving and communication systems
Lastly, remember to get a Business Associate’s agreement from the vendor. This agreement should include that the vendor has HIPAA compliance measures in place as it applies to them too.
Tracking and Monitoring
Once you deploy your texting solution, you have to actively monitor communications to ensure HIPAA compliant texting measures are in place.
Generally, this includes monitoring log files and audit information regularly.
Activities that IT administrators should proactively undertake to ensure this include:
- Tracking and monitoring administrator activities related to user management, information access, and policies.
- Ensuring that authentication events and audit data are correctly captured.
- Making sure that message delivery and read receipts are time stamped.
- Ensuring people sending texts are well-versed with HIPAA compliant texting guidelines set by the organization.
Following these steps will help you enjoy the convenience of secure text messaging of healthcare data without breaking any laws.
HIPAA compliant texting apps
Here are some apps that are HIPAA compliant and can be used to send messages.
- Skype for Business
- Google Hangouts
- Cisco Webex Meetings / Webex Teams
- Amazon Chime
- Zoom for Healthcare
Remember, while these apps comply with the standard HIPAA rules, they may not cater to your organization’s policies. Hence, it’s recommended that you carefully tally your requirements with their provisions before making a choice.
Previously, deploying secure text messaging for healthcare would have seemed like a stretch. But thanks to technology, that’s not the case anymore.
As more patients and health care providers begin to use smartphones, they expect to avail of its convenience in multiple aspects, including receiving and accessing health information over texts.
HIPAA compliant texting measures enable that. Hopefully, the above points give you a better understanding of how to put these measures into action.