Is HIPAA text messaging compliant? It seems no one can answer this question, not even HHS. Why is this seemingly simple question about HIPAA text messaging so difficult to answer?
In order for the use of a specific technology to be “HIPAA compliant”, we must consider the two rules of HIPAA. The Privacy Rule applies to individual healthcare information in all forms, whether oral, paper or electronic. The Security Rule applies when healthcare information is electronic, as is the case with texting.
Before going any further, let’s be clear that texting is a supported communication channel for driving healthy behaviors. This channel is even utilized by HHS under the mHealth initiative through Text4Health projects such as maternal and child care, tobacco control and diabetes education.
If HHS is utilizing HIPAA text messaging, then why do organizations still ask whether or not texting is HIPAA compliant? Perhaps it is not the right question to ask. Compliancy is not achieved through the communication channel but instead through the use of the channel. How you decide to use the texting channel will determine whether or not your organization is in compliance with HIPAA privacy and security.
A study published in the American Journal of Public Health (AJPH) by Hilary N. Karasz, PhD, Amy Eiden, JD, and Sharon Bogan, MPH, titled “Text Messaging to Communicate With Public Health Audiences: How the HIPAA Security Rule Affects Practice” looked at whether text messaging could be used effectively for public health purposes while remaining compliant with the HIPAA Security Rule. The study concluded that “Text messaging to send health information can be implemented in a public health setting through 2 possible approaches: 1) restructuring text messages to remove personal health information and 2) retaining limited personal health information in the message but conducting a risk analysis and satisfying other requirements to meet the HIPAA Security Rule.”
Don’t let uncertainty of compliance stop your organization from utilizing a proven communication channel. Take these steps to get clarity around how the channel will be used in a compliant manner:
- Decide on the types of messages to be delivered such as appointment reminders, balance notifications, adherence, etc.
- Draft a text message that includes PHI and does not include PHI for each message type. Evaluate effectiveness of each (reference study for evaluation method) to determine whether or not PHI is needed in the message. The Security Rule can be bypassed if PHI is not included.
- Conduct a risk analysis on the use of the texting channel for each message type which includes PHI. Make an informed decision on whether or not you will utilize this channel for messages containing PHI.
- Develop a policy that considers privacy and security requirements as they relate to the use of the texting channel. This policy should also include the approved message types and content.