Touchstone Compliance

Is Texting PHI (Protected Health Information) Allowed by HIPAA?

iphone doc

The answer to that question is more complicated than a simple yes or no. “It depends,” says it best.

The reason lies in the law itself. The lawmakers who crafted the HIPAA legislation went to great lengths, it seems to me, to make the mandate non-prescriptive.  HIPAA compliance doesn’t expressly require the use or avoidance of any specific modes of communication. In fact, the law doesn’t even mention texting PHI!

What HIPAA does say is that with any means of communication, appropriate safeguards must be in place to ensure the privacy and security of Protected Health Information (PHI).  Whether or not texting is OK as a way to communicate PHI depends, then, on the adequacy of the safeguards used.

That’s where this gets tricky.

The Joint Commission on Accreditation of Healthcare Organizations weighed in

HIPAA’s guidelines for secure communication of ePHI include:

  • Unique user IDs
  • A method to authenticate those user IDs
  • A secure way of transferring and storing the confidential messages

The Joint Commission took a look at the use of traditional SMS (short message service) and came to the conclusion that standard consumer-based systems fail to adhere to HIPAA’s guidelines. So it advised physicians, practitioners and hospitals, “Don’t do it. Avoid texting PHI.”

But that’s not the end of the story.

Secure text-messaging solutions

For healthcare providers, texting PHI offers many advantages. It’s fast, direct, and simplifies the traditional pager and callback methods used by healthcare providers for years. Texting allows for shorter response times, quicker interventions, and can even lead to better patient outcomes.

So the Commission went on to say that texting is OK if — and only if — the service uses:

  • Secure data centers
  • Encryption of data (both in transit and at rest)
  • Recipient authentication
  • Audit controls (the ability to archive messages and information, retrieve that information quickly, and monitor the system)

It’s probably obvious, given parameters above, that the approved text messaging I’m talking about isn’t between provider and patient, but rather between healthcare colleagues who are “on the same page” regarding the recognized safeguards.

There’s an app for that

Since regular consumer-based text-messaging services don’t cut it in terms of HIPAA compliance and the Commission’s guidelines, if you want to text in your capacity as a healthcare professional, I recommend looking into a specialized app for mobile devices — one that encrypts data on your phone, communicates it to the recipient, and decrypts it there. Also, make sure this app includes backup, emergency access, and has the ability to archive messages. And don’t forget to get a signed Business Associate Agreement from the company that makes the app. (You’ll need it because PHI will likely be passing through their computer networks.)

As useful and convenient as texting PHI can be, it does present some challenges.  If you do decide to use text-messaging as part of your work in healthcare, follow the Commission’s guidelines to a “T,” and you should be OK.

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.