As a 24 hour medical answering service, we deal with a lot of hospitals and medical offices, and many of them use text messages to communicate because of how quick and convenient it is. This absolutely allows these doctors and their staff to provide better service to their patients, but at what risk to the medical office? HIPAA privacy rules are very strict and are very strictly enforced and no one wants to be out of compliance. So, what is a medical office to do in order to provide the fast and easy flow of information while protecting the privacy of their patients and not running afoul of the law?
What Does HIPAA Say About Text Messaging?
Text messages are considered electronic communications which means that they fall under the scope of the HIPAA regulations. If any text message contains protected health information then the message must comply with all HIPAA guidelines and the responsibility falls upon the sender to make sure that it does. Unfortunately we still think of text messages as short communications that cannot possibly contain very much information. However, with the prevalence of smart phones, text messages can now be much longer and can contain pictures or videos. If even one piece of private information is included (even if it is only an appointment schedule), that message is considered to contain protected health information.
Is Standard Text Messaging not HIPAA Compliant?
The rules for sending an HIPAA compliant text message between staff members state that:
- Each staff member must configure and lock down their devices appropriately
- The text message must be encrypted through the entire transmission process – from the sending device, through the mobile provider and to the device of the recipient.
- The text message cannot be decrypted and stored in any third party system (including the cellular carrier) in any way that an unauthorized individual could gain access to the information
- The medical office or healthcare provider has to have a Business Associate Agreement in place with any vendor that has access to any protected health information.
That Sounds Simple Enough… So What’s The Problem?
The trouble with this is that any cellular provider (such as Verizon or AT&T) will not sign an HIPAA Business Associate Agreement with your organization. This means that you cannot know for sure that messages travel securely from one of your staff members to another without being read or archived by an unauthorized individual. With all of the anti-terrorism investigations, there is not even a guarantee that your text messages will be transmitted securely. And, even though this is out of your control, it still puts you out of HIPAA compliance.
So, Are Text Messages Not A Possibility?
Unfortunately, this does mean that you should not use regular text messaging or any of the regular messaging apps. They are not designed to be HIPAA compliant and it is not worth the risk to use something not designed to protect patients’ data. Fortunately, there are options that will allow you to send information quickly and easily and securely.
One simple way that you can get around this is to use secure email and make sure that your staff has their settings to push email for very fast notifications. Though not quite as easy as text messaging, this is one option that can keep you compliant.
Our favorite solution is to use a specialized HIPAA-compliant Messaging Apps. We recommend and have partnered with MiSecure Messages. Our medical answering service clients say that they are incredibly quick and easy to use, and just as importantly, they are HIPAA and HITECH compliant. No wondering if you are covered, you can know for sure that your communications are HIPAA compliant and that your patients information is secure. Give us a call at 888-528-5678 and we will talk you through how MiSecure Messaging works and how we can get you set up.