Text Messaging and HIPAA Compliance
While texting patient information is not prohibited by HIPAA, it can also risky for both the patient and the provider. Providers who wish to text patients must take steps to strengthen the security of both the mobile device used for the text and the transmission of the text. This means adding additional levels of security, such as password protection of the message and periodic deletion of texts or transfer of the text message to the patient’s medical record. Providers should communicate the risks to patients and ensure that patients have the option to choose not to receive personal information by text. Providers should also adopt policies and procedures specific to text messaging and make appropriate changes to their Notice of Privacy Practices.
In addition, OCR recommends encryption when PHI is transmitted outside the organization in any electronic form, including texting. Encryption helps jumble the content of a message into random data until it's received on the other end and the original message is compiled back together again. This means if anyone intercepts the message, it's jumbled characters and symbols. This does not, however, protect messages from being seen if a device is compromised or accessed by a friend or family member.
Health care providers who use text messaging to communicate with patients or other health care providers should do so only if they can be assured that the text message is secure and the transmission is HIPAA compliant. HIPAA requires, among other things, that the provider (1) limits access to PHI to authorized users who need the information to do their jobs; (2) monitors access of users to the mobile device and text; (3) authenticates the authorized users; and (4) implements policies and procedures to prevent inappropriate alteration or destruction of PHI. Texting, without added security measures, will not comply with HIPAA requirements.