HIPAA and SMS Texting: Everything you need to know
In Association with
The SMS, which stands for ‘Short message service,’ was first developed in 1984, with the first text message sent some years later in 1992 as an outgrowth of radio memo pagers. The short part of the name comes from the 160 character limit that is imposed on the messages. This easy and simple way to communicate has grown and in 2010 it was the most commonly used data application on phones. This method of communication has persisted, with the number of text messages sent daily numbering in the trillions.
HIPAA is the Health Insurance Portability and Accountability Act of 1996. While the portability had to do with individuals being able to take health insurance benefits with them when changing jobs, the legacy of HIPAA has more to do with federal law imposing standards on preserving patient privacy. More specifically, it established national standards for the protection of sensitive patient information, to prevent disclosing this information without a patient’s consent.
This sensitive health information gets termed as Protected Health Information, or PHI. This PHI includes a number of elements that could potentially identify a patient. The list is quite comprehensive and includes:
- Patient's name
- Address (including all geographic subdivisions smaller than the state, and includes street address, city, county, and zip code)
- All elements of dates related to an individual, with the exception of years (including birthdate, admission date, discharge date, date of death, and the numerical age if over 89 years of age)
- Phone numbers
- Fax number
- Email addresses
- Social Security Number
- Health plan beneficiary number
- Account number
- Medical record number
- Certificate or license number
- Vehicle identifiers and serial numbers, including license plate numbers and VIN
- Device identifiers and serial numbers
- Web URL
- Internet Protocol (IP) Address
- Finger or voice prints
- Photographic image (Not limited to images of the face)
- Any other characteristic that could uniquely identify the individual
Whenever a communication is made that includes any of the above info, it is in the category of “Identified.” If all of the above HIPAA identifiers are removed, then it gets categorized as “Deidentified.” This comes up with research projects as the data should be analyzed in aggregate only, without the identifiers to avoid a HIPAA violation. This HIPAA privacy rule even applies after an individual is dead, for 50 years after the date of death.
However, even though patient privacy is paramount, it comes up in the normal course of business in healthcare, that PHI needs to be communicated. This comes up with every office visit to a healthcare provider, when the visit gets sent to the insurance company for payment, for example. Also, healthcare providers have frequent situations when they need to communicate with a patient and their families when they are under their care.
Challenges arise, as healthcare providers need to navigate which of the communication methods are HIPAA compliant, and which are not. While some methods of communicating with patients are not an approved method, thankfully there are some options.
The first approved method is direct in-person communication between the provider, and the patient. With this direct method, as the transfer of info is face to face, it is fully HIPAA compliant.
However, there are many occasions where a patient is not directly in front of the provider, and info needs to be sent. Phone calls are HIPAA compliant, and this is a commonly used method in healthcare. When a patient provides a telephone number, it is considered permission to receive a phone call. Another approved method is USPS mail, and certified when needed. Sometimes referred to as ‘Snail mail,’ it gets the job done, but is hardly speedy, and not ideal for a conversation in real time.
Sending a fax is another HIPAA compliant method (although it gets murky when an online fax service is used rather than a physical fax machine), and this is commonly used to send info between doctor’s offices, and a reason why faxing has persisted in healthcare, while many other industries have tossed their fax machines years ago.
While direct person to person, phone, fax and USPS mail are all HIPAA compliant, the more modern electronic means of communication are where things quickly get more complicated. This includes SMS’, instant messaging, as well as emails. In general, neither are approved methods, as the PHI is not secure. This is due to the concern that neither are encrypted in general use.
Also, the concern is that they can both be transmitted over public Wi-Fi, and that is not considered secure. Furthermore, there is not a mechanism to recall the message should it be transmitted to the incorrect recipient. Finally, there is further concern that these messages can remain on the servers that they are transmitted through for a period of time that is indefinite.
That being said, while SMS does not get used, email is sometimes needed, if for no other reason than for hospitals and healthcare providers to communicate with insurance companies. Under the technical security rule, there are standards for electronic communications. These include that the communication is encrypted in transit so that if intercepted it is not readable.
There also needs to be an access control, so that there is a unique login username and PIN number so that the communication can be logged and monitored. There also needs to be an auto logoff to prevent unauthorized access to the PHI.
While technically not impossible, these types of requirements are quite difficult to meet with SMS, hence why it does not get used. Many healthcare organizations have turned to dedicated HIPAA compliant communication via secure messaging apps. These are designed from the ground up to meet the high standards of HIPAA, and allow for encrypted communication, while functioning much like any other dedicated IM app. An example of this type of product is TigerConnect.
In conclusion, due to the requirements of dedicated logins with auto logoff, and encryption, SMS communication is not used in healthcare to remain HIPAA compliant.
