We have discussed Healthcare Cyber security concerns before, Improving Healthcare Cybersecurity. Is texting a safe method of communication with patients?
Is texting HIPAA compliant? The answer to this question is not as simple as it may seem. With more and more medical professionals relying on their personal mobile devices for communication, texting has become a significant challenge for healthcare organizations nationwide. Whether or not texting is HIPAA compliant largely depends upon what is texted, who is texted, and what mechanisms are in place to ensure the integrity of Protected Health Information (PHI).
For example, it is not a HIPAA violation for a physician to text message a patient, as long as the patient has been warned about the risks of communicating personal information over an unencrypted channel, and provided the message follows the “minimal necessary standard.” It is also not a HIPAA violation to send text messages if there are mechanisms in place that comply with the technical safeguards of the HIPAA Security Rule. Some of these mechanisms include access controls, audit controls, and encryption.
However, most mobile texting applications do not have a log-in or log-off requirement; therefore they do not comply with HIPAA technical safeguards. For instance, if a mobile device is unattended, anyone can walk by and read the text messages. Unlike voicemail, that typically gets deleted after a period of time, text messages stay on a device indefinitely. If a device is lost or stolen, there is also a risk that sensitive information could be exposed or used to commit fraud or identity theft.
HIPAA compliant text messaging applications are one way of ensuring HIPAA compliance. These applications operate within a secure, encrypted network with access controls and audit controls to satisfy the HIPAA Security Rule.
Although there are ways to make SMS text messaging HIPAA compliant, it is often safer for healthcare organizations and medical practices to prohibit the texting of Protected Health Information (PHI) altogether, rather than risk a penalty for violating HIPAA.
Fines for HIPAA breaches can be up to $50,000 per day. Healthcare organizations can also face civil charges from patients whose data has been exposed if the violation results in identity theft or fraud.
Penalties for Texting in Violation of HIPAA
|Penalties are per violation per year||Min||Max|
|Did Not Know||$100||$50,000|
|Wilful Neglect – Corrected||$10,000||$50,000|
|Wilful Neglect – Not Corrected||$50,000||$1,500,000|
Originally published by Medsafe – HIPAA compliance accreditation – https://www.medsafe.com/