For most people, understanding the basics of HIPAA or the Health Insurance Portability and Accountability Act of 1996 can be a real challenge. Relying on hearsay rather than doing your own research may lead to errors and misunderstandings which could have been avoided early on. For better comprehension of the HIPAA compliance rules and regulations, it is advised that you consult some of the best sources such as this article by Halo Communications on HIPAA & texting.
Advantage of Text Messaging in Healthcare Facilities
It cannot be denied that mobile phones have made communication between medical practitioners faster and more convenient inside a healthcare facility. Within a split of a second, information and inquiries can be delivered to the recipient and responses can be reverted to the sender within seconds even if they are not physically present in the clinic or hospital. Although text messaging is beneficial in this sense, not all types of it may be tagged as HIPAA compliant.
Text Messaging and HIPAA Rules
To answer the big question, no, text messaging is generally not allowed and is against HIPAA rules and regulations. The main reason for this is that the information sent through text messages are not encrypted and Protected Health Information or PHI may be accessed by unauthorized persons. This confidential information are highly vulnerable in cases of mobile phones that are left unattended or stolen. Exposed PHI can, therefore, be used by criminals for identity theft or fraudulent insurance transactions.
There are also other reasons that it is safer to avoid this form of communication than risk a HIPAA compliance certification. One is the lack of access controls to the devices and the other is the lack of audit controls. To overcome these, there has to be a way to record every activity starting from the creation of a PHI entry to the sharing of information, modification, and removal from the record. The challenge is how to implement these across different operating systems.
HIPAA Compliant Text Messaging
As implied earlier, text messaging can be compliant with HIPAA rules under various circumstances. The first one is if the medical practitioners are sending and receiving messages to and from their patients and both a warning and consent has been issued. The consent may be given through text as well as the issuance of warning for the risk of unauthorized disclosure. Both of these should be properly documented by the Covered Entity.
Another case wherein text messaging containing PHI may be allowed is during times of natural disasters when the HIPAA rules are temporarily waived by the US Department of Health and Human Services. Waivers are, however, not encompassing and may apply to some rules or specific natural calamities only.
Another special case where text messaging is allowed under HIPAA regulations is in an employer to employee set up. The employers providing health care plans and office-based clinics, as well as the intermediaries, may be allowed to send text messages containing patient related information.
Finally, the Covered Entity may use a HIPAA compliant mobile application adhering to all requirements and restrictions. The mobile application should be able to solve access, auditing, and encryption problems that regular text messaging have. It must also comply with the HIPAA Security Rule and the Minimum Necessary Standard.