Texting, in its standard form such as SMS, is generally not considered HIPAA compliant due to its lack of encryption and inadequate safeguards against unauthorized access to Protected Health Information (PHI); however, texting can be made HIPAA compliant through the use of secure messaging platforms that offer encryption, user authentication, audit controls, and the ability to enter into a Business Associate Agreement (BAA) with the messaging service provider, ensuring the necessary protections for PHI as required by HIPAA.
If we did not delve too deeply into the topic, we could have a tendency to dismiss text messaging and say that it is not HIPAA compliant and for the larger part of what are commonly referred to as text messages, we would be correct. This is not because HIPAA expressly prohibits text messaging but more because HIPAA security standards call for adequate protection of the privacy of Protected Health Information (PHI) while it is both at rest and in transit, where in transit means being sent or otherwise shared.
What do we mean by testing?
What we commonly understand as a text message, the basic SMS sent from one mobile telephone device to another, does not meet the necessary security criteria and is thus considered as unsuitable for use with PHI and is non-compliant with HIPAA.
Some of the weaknesses of the traditional text messaging system include the fact that they are unencrypted, that it is easy to send messages to the wrong number, that the content of text messages may be retained on telephone service provider servers (even if the provider does not or is unable to access this data), and that messages could be intercepted.
To compound this, messaging is generally not protected by strong user identification and authentication on a telephone and telephones are among the items that are most often lost or stolen, potentially making PHI and sensitive patient data accessible to unauthorized parties.
With this in mind, we can say that while employees can use text messages in HIPAA covered entities, no PHI should be sent via text.
Compliant text messaging systems
Above, we strongly emphasize that we are talking about standard text messages because there are many other options when it comes to applications or software that allow messages in text to be sent between mobile devices. Many of us are familiar with these and may use Facebook Messenger with friends, Whatsapp groups with colleagues, or other platforms.
For the most part, what we may consider as “consumer” text messaging solutions will suffer from one or another of the same flaws as traditional texting. Even Whatsapp, for example, which has encrypted messages that may satisfy certain elements of HIPAA compliance criteria, does not have compliant access control. Audit functions are another element often found lacking in consumer solutions.
Professional solutions, on the other hand, do exist and have been developed specifically with the ability to be used in a HIPAA-compliant fashion as a prerequisite. While HIPAA compliance will, for the most part, be dependent on user behavior, these systems allow professionals in the healthcare space to work with all the conveniences of text messaging without suffering from the drawbacks. In addition, audit functions, user authentication, automatic disconnections after defined periods of inactivity, and ability to remotely delete data means that PHI can be kept secure and risks of information breaches can be brought to a minimum.