Like many telehealth practitioners in the digital age, you may be asking yourself “Is texting HIPAA compliant?” The answer is a bit tricky.
Text messaging–SMS texting or MMS texting–presents an easy to use option for communicating with patients that may seem enticing for many telebehavioral health practitioners. However, HIPAA regulation sets specific security standards for the use of texting and patient communications that must be adhered to in order to protect your behavioral health practice from data breaches and HIPAA fines.
HIPAA Compliant Texting
Under HIPAA regulation, behavioral and telebehavioral health professionals are considered covered entities because they deal with the direct treatment of patients. Covered entities are required to have security safeguards in place to protect their patients’ protected health information (PHI). PHI is any demographic information that can be used to identify a patient, including name, address, phone number, email, Social Security number, insurance ID number, and any part of a patient’s medical record, to name a few.
HIPAA regulation states that any patient communications that involve the electronic transmission of PHI must be properly protected with technical safeguards, specifically laid out in the HIPAA Security Rule. That includes text messaging. The HIPAA Security Rule states that any “data in motion” must be properly encrypted. Specifically, the regulation requires “end-to-end” encryption (E2E encryption). E2E encryption ensures that the telebehavioral health practitioner who sends the data and the patient who is the intended recipient are the only two parties who can actually access the data being sent.
The reason why HIPAA encryption over text is so important is because malicious third party hackers can access data that is sent via a non-encrypted text. If you are texting sensitive PHI to your patients without encryption, that could pose a serious risk to your patients’ privacy, and potential data breaches for your practice.
Texting on Android phone via regular SMS is not encrypted, and therefore not HIPAA compliant. Provider may not use Android phones to text sensitive information.
Behavioral health professionals working with iMessage must also take precautions. iMessage is not HIPAA compliant texting and cannot be used to share PHI. That’s because the information that is sent via iMessage is stored on Apple servers for an indefinite period of time. Because that data is potentially accessible by Apple and by hackers who may access Apple servers in the event of a data breach, health care providers may be putting patients’ data at risk by using iMessage.
Finding a solution for HIPAA compliant texting is the best way to protect yourself against HIPAA fines, all while expanding your behavioral health services. HIPAA compliant texting provides a great option for reaching millennials and brand new audiences, making your services more available and accessible to patients across the country.