After the latest changes to Health Insurance Portability and Accountability Act 1996 (HIPAA), our physicians and health insurance companies have started communicating through text messages. But have you ever thought that “is texting using a mobile phone HIPAA Complaint?”
Is Mobile Texting HIPAA Complaint?
In simple words, HIPAA allows communicating through text messaging; if a Covered Entity tells a patient that there is a risk of unauthorized disclosure and gets the patient’s consent to text, it can do so. Both the consent and the warning must be properly documented.
This does not mean that text messages cannot be a HIPAA violation. There is a huge risk of getting PHI into unauthorized hands. For example, anyone with access to an unattended mobile phone can read its messages. Moreover, mobile phones can be lost or stolen, exposing PHI to unauthorized access and the information contained in the messages, which might be used to execute identity thefts and insurance fraud.
How to Keep Text Messages in Compliance with HIPAA?
The question arises here: Is the healthcare industry supposed to communicate with patients through messaging? The answer is, of course, because it is easy and quick. But certain protocols should be observed, like the massages must be encrypted (PIN or password or fingerprint etc.), automatic logoffs, unique user IDs, etc. Texting is inherently insecure and that needs to be mitigated and training should be provided to employees on the best security practices.
All the protocols mentioned above are impossible to achieve with standard mobile texts. Still, they can be achieved with text messaging apps such as Google Workspace Chat and Microsoft 365 business-standard. But you will have to sign a proper BAA with office365 to transmit, store and maintain PHI.
Additionally, different service providers offer a go-to solution in the form of HIPAA Compliant text messaging apps that are encrypted, have access and audit controls such as Zinc, TigerText, etc.
Cybesion is a Managed IT Security Service Provider, namely providing business grade cyber security protection.