HIPAA Compliant Texting?
Like many telehealth practitioners in the digital age, you may be asking yourself “Is texting HIPAA compliant?” The answer is a bit tricky.
Text messaging–SMS texting or MMS texting–presents an easy to use option for communicating with patients that may seem enticing for many telebehavioral health practitioners. However, HIPAA regulation sets specific security standards for the use of texting and patient communications that must be adhered to in order to protect your behavioral health practice from data breaches and HIPAA fines.
How to Make Texting HIPAA Compliant
Under HIPAA regulation, behavioral and telebehavioral health professionals are considered covered entities because they deal with the direct treatment of patients. Covered entities are required to have security safeguards in place to protect their patients’ protected health information (PHI). PHI is any demographic information that can be used to identify a patient, including name, address, phone number, email, Social Security number, insurance ID number, and any part of a patient’s medical record, to name a few.
HIPAA regulation states that any patient communications that involve the electronic transmission of PHI must be properly protected with technical safeguards, specifically laid out in the HIPAA Security Rule. That includes text messaging. The HIPAA Security Rule states that any “data in motion” must be properly encrypted. Specifically, the regulation requires “end-to-end” encryption (E2E encryption). E2E encryption ensures that the telebehavioral health practitioner who sends the data and the patient who is the intended recipient are the only two parties who can actually access the data being sent.
The reason why HIPAA encryption over text is so important is because malicious third party hackers can access data that is sent via a non-encrypted text. If you are texting sensitive PHI to your patients without encryption, that could pose a serious risk to your patients’ privacy, and potential data breaches for your practice.
Texting on Android phone via regular SMS is not encrypted, and therefore not HIPAA compliant. Provider may not use Android phones to text sensitive information.
Behavioral health professionals working with iMessage must also take precautions. iMessage is not HIPAA compliant and cannot be used to share PHI. That’s because the information that is sent via iMessage is stored on Apple servers for an indefinite period of time. Because that data is potentially accessible by Apple and by hackers who may access Apple servers in the event of a data breach, health care providers may be putting patients’ data at risk by using iMessage.
Finding a solution for HIPAA compliant texting is the best way to protect yourself against HIPAA fines, all while expanding your behavioral health services. Texting provides a great option for reaching millennials and brand new audiences, making your services more available and accessible to patients across the country.
If you need assistance with HIPAA compliance, consider working with our TBHI affiliate, the HIPAA Compliancy Group. (When you purchase services from them, TBHI will be paid a small commission.) They can help you support your HIPAA compliance with The Guard®. The Guard is a web-based HIPAA compliance solution, built by former auditors to help simplify compliance. The Guard is built to address the HIPAA regulations, including guided walkthroughs of HIPAA Risk Assessments. With The Guard, you can focus on running your practice while keeping your patients’ data protected and secure.Compliancy Group’s team of expert Compliance Coaches® can also field questions and guide you through the implementation process, taking the stress out of managing compliance. Find out more about how Compliancy Group and the HIPAA Seal of Compliance® can help simplify your HIPAA compliance today!
Ransomware hackers attack smaller healthcare practices daily, creating serious data breaches and HIPAA violations. Are you and your clients/patients vulnerable, too?
Managing social media use and HIPAA compliance can lead to some of the most common misunderstandings faced by healthcare providers. Improperly trained employees can expose your organization to HIPAA violations and costly fines!