Texting and emailing is how the majority of workers communicate, but when it comes to the health care industry it’s important to understand how these communication methods can result in a violation of the Health Insurance Portability and Accountability Act (HIPAA) of 1996. Under the HIPAA Privacy Rule, there are national standards for the protection of certain health information. In addition, under the HIPAA Security Rule, there is a national set of security standards for protecting certain health information that is held or transferred in electronic form.
Although there is no specific mention of SMS text messages in HIPAA, the rules do cover electronic communications and, therefore, apply to text messages. Whether texting is in violation of HIPAA depends on several factors: the content of the messages, to whom the messages are sent, and – in the case of texting patients – whether consent has been obtained to send information via an SMS network.
For example, there is nothing wrong with physicians using text messages to communicate with other healthcare professionals and care teams, however, texting is a violation of HIPAA Rules if the text messages contain any protected health information (PHI) for which a patient had not given their consent. If personal identifiers are included in the messages without permission of the patient, along with any data that falls under the classification of PHI in HIPAA Rules, physicians will likely be violating HIPAA. Health information such as diagnoses, treatment information, medical test results, and prescription information are considered protected health information under HIPAA, as are national identification numbers and demographic information such as birth dates, gender, ethnicity, and contact and emergency contact information.
Under the HIPAA Security Rule technical controls must be implemented to protect PHI. This includes implementing access controls that prevent PHI from being viewed by unauthorized individuals; audit controls to ensure covered entities and regulators can check to see PHI is being communicated compliantly; integrity controls to ensure PHI has not been tampered with or altered; and controls to ensure PHI cannot be intercepted in transit. Covered entities include providers such as physicians, clinics, nursing homes, etc.; health plans; and business associates (third-party administrators in claims processing, for example).
With text messaging, access controls are insufficient unless a solution is put into place. For example, if the sender or receiver of a message loses his or her device, an unauthorized individual could potentially access the messages. There is also no guarantee that the intended recipient will receive the message and a system isn’t in place that can confirm the identity of the sender or receiver of a message.
Secure text-messaging solutions for health care providers are available. These solutions, according to the HIPAA Journal, incorporate all of the necessary controls to ensure electronic PHI cannot be intercepted or accessed by unauthorized individuals. In addition, these messaging platforms feature end-to-end encryption to ensure messages cannot be intercepted in transit, and all communications via the network are monitored and an audit trail is maintained. In the event of loss or theft of a mobile device, the platforms allow all messages on the user’s device to be automatically erased. The platforms also contain controls to prevent PHI from being copied and pasted to other apps.
Electronic communications, including email, are permitted, although once again HIPAA-covered entities must apply reasonable safeguards when transmitting electronic PHI to ensure the confidentiality and integrity of data. Patient names and other PHI should not be included in the subject lines of emails as the information could easily be viewed by unauthorized individuals. Even when messages are protected with encryption in transit, message headers – which include the subject line and “to” and “from” fields – are often not encrypted and could potentially be intercepted and viewed.
Patient names and other PHI should only be sent to individuals authorized to receive that information, so care must be taken to ensure the email is addressed correctly. Sending an email with PHI to an incorrect recipient would be an unauthorized disclosure and a violation of HIPAA.
With internal emails, it’s not necessary for messages containing electronic PHI to be encrypted provided the messages are only sent via an internal email system and do not leave the protection of a firewall. Access controls need to be in place to prevent messages from being opened by individuals unauthorized to receive the information. With emails containing PHI that are sent outside the protection of an internal network there is considerable potential for PHI to be viewed by unauthorized individuals. This is not a problem when emailing patients, provided consent to use email to send PHI has been obtained from the patient in advance. The patient must be made aware of the risks of sending PHI via unencrypted email and must have given authorization to use such a potentially insecure method of communication.
The penalties for HIPAA violations are severe. Willful violation of HIPAA Rules can attract a penalty of $50,000 per violation per day, up to a maximum fine of $1.5 million per calendar year. It’s important for health care organizations to understand the rules and do what is required to protect a patient’s information.
Manchester Specialty Programs provides agents and brokers with the ability to offer a totally integrated business insurance solution around the specific needs of Home Care, Allied Health and Human/Social Services organizations fundamental to communities. Included among our insurance solutions is Professional Liability insurance, which covers HIPAA, cyber liability and regulatory audit exposures – including proceedings, fines and penalties. For more information about our products, please contact us at 855.972.9399.
Sources: HHS, HIPAA Journal