Texting is growing in popularity among the healthcare and insurance industries as a convenient means to communicate with patients and insureds. The increased popularity naturally raises the question: how does a healthcare or insurance subject to the Health Insurance Portability and Accountability Act (better known as HIPAA) make sure that text messages between patients, insureds and health care providers don’t violate HIPAA? Unfortunately, there’s no single, clear-cut answer but here are some helpful tips to get you started.*
What is HIPAA?
HIPAA is a federal law that many recognize as protecting the privacy and security of health information. HIPAA, however, only covers protected health information (PHI), which is individually identifiable health information created or received by “covered entities” (i.e., health plans, most health care providers and health care clearinghouses) and “business associates” (i.e., the third parties that support covered entities). In other words, HIPAA governs entities and not data, which means that specific data may be regulated by HIPAA in the hands of some entities but not others.
Is SMS texting HIPAA compliant?
HIPAA does not specifically prohibit or approve sending PHI by text message. For HIPAA compliance purposes, the use of text messaging to send PHI requires use of controls that ensure the confidentiality of PHI when it is at rest and in transit. HIPAA’s Security Rule includes mandatory security safeguards and “addressable” security safeguards. Mandatory safeguards must be implemented. If a security safeguard is “addressable,” the covered entity can do a risk analysis to determine whether the security safeguard is reasonable and appropriate or whether to use an alternative control. Encryption is an example of an addressable security safeguard. This is important because SMS messages are not encrypted, which means that third parties could gain access to PHI in a text message.
Since encryption is an addressable security safeguard, a covered entity is not necessarily prohibited from using text messaging to communicate with patients; rather, a covered entity should use text messaging tools with encryption technology.
HIPAA compliant text messages: choosing a texting provider
Here are a few tips for choosing a texting provider. Of course, Zipwhip strongly recommends consulting legal counsel.
Look to the provider’s encryption and data protection practices. Text messages should be encrypted while on the provider’s infrastructure in transit (from the carrier connection point to the provider’s messaging application) and at rest (when being stored on the provider’s database).
Separately, consider what security framework the provider follows. Many SaaS companies can offer a SOC 2 report. Other common security frameworks are the NIST Cybersecurity Framework and ISO 270001.
Use business-texting software with features that reduce human error in PHI transmission. Human error (e.g., an employee may accidentally text patient information to the incorrect recipient) is a common source of HIPAA violations.
Using business-texting software with auto-populating features can help reduce errors by setting a streamlined workflow in place. Look for features like dynamic fields and the ability to store [and autopopulate] patient information, such as phone numbers and addresses.
Have a Business Associate Agreement (BAA) in place with your texting provider. When a texting provider handles PHI on behalf of a covered entity, the texting provider is considered a business associate. HIPAA requires that a covered entity has a written agreement with each business associate, which is known as a Business Associate Agreement (BAA). The purpose of a BAA is to ensure that the business associate is contractually required to protect the security, confidentiality, availability and integrity of PHI. Learn more about BAAs here.
Consider the content within the text message. Even when transmitting PHI over an encrypted network, it’s best practice to not discuss detailed medical information over text. Keep in mind that there’s always a security risk when sending personal or confidential information over electronic communication. Consider how you manage PHI over email: If you wouldn’t send it over email, then definitely don’t send it over text.
Zipwhip business-texting software and HIPAA compliant text messages
Zipwhip can be used as part of your HIPAA compliance solution. Among our other security safeguards, PHI is encrypted while on Zipwhip’s infrastructure. Learn more about how we keep customer text messages safe.
*Disclaimer: This blog post is for informational purposes only and does not, and is not intended to, constitute legal advice. Only your individual attorney can provide assurances that the information contained herein – and your interpretation of it – is applicable or appropriate to your particular situation. You should not act or refrain from acting on the basis of any content included in this site without seeking legal or other professional advice.