Text messaging allows healthcare providers to deliver simple, relevant, and customizable health information instantaneously to their patients, like reminders to obtain a vaccine, take a medication or come to an important follow-up appointment. Text paging, a form of text messaging frequently used by healthcare professionals, can help ensure patient safety by allowing practitioners to quickly exchange important patient treatment information in a hospital or clinical setting. But is this kind of health-related text messaging permissible under HIPAA?
According to a recently published report in the American Journal of Public Health, text messages containing protected health information (PHI) would be impermissible under the HIPAA Security Rule (Security Rule) unless the covered entity either removed PHI from the message or complied with the Security Rule's administrative, physical and technical safeguard requirements. As both options could limit the usefulness and expansion of health-related text messaging, the study recommends the federal government take steps to clarify how covered entities "can reasonably use text messaging to send [PHI]" and cautions that "[u]ntil guidance is available and regulations are better defined, many [covered entities] will lose the opportunity to use this technology in the most effective way."
Application of the Security Rule
The HIPAA Security Rule applies to PHI that is transmitted by "electronic media," which includes "transmission media" used to exchange data that already exists in electronic form. Unlike the transmission of PHI via telephone or facsimile, text messaging and text paging involve data that exists in electronic form prior to transmission and therefore could qualify as "electronic media" protected under the Security Rule.
Excluding PHI From Text Messaging and Text Paging
One way covered entities could address the Security Rule would be to avoid it altogether by excluding PHI from a text message. However, given the broad definition of PHI (which includes information in any form or media, whether electronic, paper, or oral that could be used to identify an individual and that "relates to" the provision of healthcare to that individual), excluding it from a text message altogether could diminish the message's usefulness. Moreover, excluding PHI from a text page could cause confusion and lead to medical errors.
Complying With the Security Rule
If a covered entity wishes to include PHI in text messages or text pages, it must comply with the Security Rule, which requires covered entities to conduct a risk analysis to assess potential vulnerabilities to the confidentiality of electronic PHI and to implement measures to protect the security of electronically transmitted PHI. Before implementing some Security Rule protections, covered entities first must evaluate whether the measure is reasonable and appropriate and, if necessary, implement alternative measures equivalent to the Security Rule's protection prior to transmitting PHI electronically.
The primary risk most covered entities face when seeking to employ text messaging and text paging is the risk that the PHI in the message could fall into the wrong hands. Much of this risk is outside the covered entity's control, as the entity has few options once the text message has been transmitted over wireless networks and cannot always ensure that the message reaches and is safeguarded by its intended end user. One Security Rule protection that could mitigate such risks is the use of encryption technology. However, due to the current state of technology, encrypting text messages or text pages may not be reasonable and appropriate for all covered entities. Thus, covered entities may need to implement alternative measures equivalent to encryption in order to comply with the Security Rule, including policies and procedures specifically related to text messaging and text paging, best practices, and workforce education.
Covered entities seeking to employ text messaging or text paging that includes PHI should consider the following recommendations:
Focus on educating practitioners and patients as to the risks of text messaging and text paging as well as how to mitigate these risks;
Limit the number of workforce members authorized to use text messaging or text paging, and provide enhanced training for these individuals;
Ensure policies and procedures pertaining to use and disclosure of PHI generally (Minimum Necessary Rule, Access Control, Audit Control; etc.) are widely disseminated and well understood;
Implement password protection and encryption where possible and urge outside end users to employ similar protections;
Develop and implement administrative policies regarding retired device sanitization, message retention schedules, and message format and style conventions; and
Document all phases of decision making regarding text messaging and text paging, including the decision to adopt alternative equivalent protections under the Security Rule.
While text messaging and text paging may allow for quick and reliable communication, especially in the clinical setting, covered entities must reconcile these benefits with HIPAA's privacy protections.