Whether texting is a violation of HIPAA is subjective, to say the least. HIPAA (Health Insurance Portability and Accountability Act) is a law that protects patients’ medical records and personal information related to health.
To start off, any argument that texting is a violation of HIPAA is strongly linked with concerns of privacy and security rules. These rules do not specific texting as a violation, but they do have conditions that apply to electronics devices used in the healthcare industry.
Judging by this, texting isn’t considered a violation, so long as the text doesn’t include any personal identifiers. Texting between a patient and a doctor can be done if the message itself is in full compliance with HIPAA. The medical personnel needs to notify the patient that there are risks involved regarding sharing personal information over unencrypted channels such as texting via smartphone. Texting is absolutely okay if there are safety mechanisms in place which protect the patient in regards to the HIPAA security rules.
Safeguards of the HIPAA Security Rules
There are certain requirements that control and transmit security mechanisms when PHI (Personal Healthcare Information) is being transmitted via electronics devices. The requirements in question are:
- Access and transfer of personal healthcare information are to be authorized only by users who require the information to do their jobs.
- A system in place must be implemented that will monitor the access and usage of personal healthcare information.
- Users with unauthorized access to personal healthcare information must authenticate their identity with a unique PIN and username.
- Policies and procedures must be put in place to prevent any inappropriate usage of personal healthcare information.
- Any data shared beyond an organization’s internal firewall must be encrypted to prevent it from being readable in the case of interception.
According to curogram.com, short message service (SMS) and instant messaging (IM) fall on all of the above-mentioned counts. Both medical personnel and patients should be fully aware that messages sent via SMS or IM can be intercepted and nothing can guarantee who will be the final destination of the message. Personal healthcare information can be mistakenly sent to a wrong number, forwarded to another number be eighter parties, or intercepted while in transit. Patients and medical personal should also be aware that service providers also have copies of each SMS and IM. These messages remain on their services and they will by no means be deleted.
Medical personnel is mostly on the losing side in the case of someone obtaining patients’ personal healthcare information since 80% of all medical personnel use their smartphone devices to support their workflows. This means that the risks of someone obtaining PHI are very common since anyone can gain unauthorized access to one of these devices. Furthermore, messaging apps have no log-in or log-off requirements, meaning that this information can be easily accessed if the smartphone is stolen or lost. These are some of the technical safeguards for HIPAA texting.
If this is truly the case, a doctor losing his phone and someone gaining access to it, the fines for breaching HIPAA can be anything from $100 up to $1,5 million.