Did you know basic text messaging of Protected Health Information (PHI), including texting pictures of patients, is not HIPAA compliant? People sometimes think the main reason texting is not compliant is because texts are sent without any encryption. However, the biggest reason is we cannot guarantee or prove who will be accessing this information.
HIPAA also mandates other technical safeguards when it comes to the electronic transmission of PHI1. Here are some other reasons why text messaging is not compliant:
- Access to PHI should be limited to authorized users who require the information to do their jobs. With text messaging, we cannot guarantee who is accessing this information.
- A system should be implemented to monitor the activity of authorized users when accessing PHI. Cell phones do not provide the capability of logging all activity, especially when it comes to inappropriate access.
- Those with authorization to access PHI should authenticate their identities with a unique, centrally issued username and PIN. Personal cell phones can be set without a PIN to access them, and, when utilized, PIN numbers do not indicate which user was using the phone.
- Policies and procedures should be introduced to prevent PHI from being inappropriately altered or destroyed based on regulations. Text messages can be altered or deleted, preventing the ability for retrieval.
- Data transmitted beyond an organization´s internal firewall should be encrypted to make it unusable if it is intercepted in transit. Simple Messaging Services (SMS) is the normal text messaging service and it transmits unencrypted, making it easy for others to gain access to this information.
It is very important not to use text messaging to discuss any patient care, especially in providing PHI or pictures of patients.
Reliant’s Use of E-mail and Text Messaging Policy (3.8) provides guidance to employees, contractors, volunteers, and trainees in proper use and safeguarding of electronic communications.