Does sending patient information via text violate HIPAA?

Texting has become people’s favorite way to communicate, both personally and for business. One study even found that 63 percent of individuals would choose to do business with companies that offer communication via text messages over those that don’t. 

Given the popularity of text messages, many healthcare organizations are debating whether they should use text messaging more. After all, texts are a quick, easy way to talk to customers and coworkers. However, there’s one concern holding organizations back from using texts: data safety.     

Text messages may appear to be secure, but for healthcare organizations, texts need to be more than secure. Text messaging needs to be HIPAA compliant. Let’s discover whether standard text messages can meet HIPAA’s legal standards.       

Is text messaging HIPAA-compliant

Healthcare organizations may want to send text reminders to patients or allow their employees to text each other, but is this HIPAA compliant? While HIPAA doesn’t refer to text messages specifically, it does lay out security requirements that apply to any online health data transfer. These data transfers include texts that contain a patient’s protected health information (PHI). So how do standard text messaging services measure up to HIPAA’s various requirements?  

When it comes to HIPAA’s data access regulations, texts fall short of the legal standard. HIPAA requires that data transfer systems control who has access to the information you’re sending. Unfortunately, while you can decide what phone number receives a text, you can’t control who ends up reading it. If someone can unlock a patient’s phone, they can read private messages sent to that phone.

Compounding this lack of access restrictions is the fact that you can’t conduct a data audit on standard text messaging services. These audits are a major component of HIPAA compliance because they can reveal security gaps and data breaches. 

Since you can’t control or run a data audit on who accesses a text, your messages could be compromised without you even knowing. You need to set up safeguards so this can’t happen, but standard texts can make adding safeguards impossible.    

Encrypting data is a common method to prevent hackers from gaining access to it. Encrypting medical data is also a HIPAA requirement. However, standard text messages aren’t encrypted, and it’s extremely difficult to encrypt a text message using a standard service. 

Using a standard text message service to transmit patient data is clearly not HIPAA compliant, and your business could get in serious legal trouble for sending patient data over text. However, not everything is considered patient information. You can send certain information through texts; you just need to know what’s protected by HIPAA and what’s not. So what kind of data do you need to avoid sending? 

Is texting a patient name a HIPAA violation?

A healthcare worker texting a colleague

HIPAA protects a patient’s medical information and their personally identifiable information. Texting any of this data to someone else constitutes a HIPAA-regulated data transfer. Here are 18 separate identifiers that would make a text subject to HIPAA requirements:  

  • Names
  • Addresses 
  • Social Security numbers
  • Dates
  • Telephone numbers
  • Fax numbers
  • Email addresses
  • Medical record numbers
  • Health plan beneficiary numbers  
  • Account numbers
  • Certificate or license numbers 
  • Vehicle identifiers or serial numbers 
  • Device identifiers and serial numbers 
  • Web URLs
  • Internet Protocol (IP) addresses 
  • Finger or voice prints 
  • Photographic images 
  • Any other characteristic that can identify a patient 

As this list shows, even texting another medical provider a patient’s name falls under HIPAA’s requirements. But many people have gotten into the habit of using texts for most of their communications. How can you avoid falling into bad habits that will violate HIPAA? 

How to get into the habit of HIPAA-compliant messaging

Sending text messages has become second nature for many people. However, the habits that work for personal communication don’t translate to legally regulated communications. Here are some basic ways you can get into the habit of HIPAA-compliant messaging:   

  • Don’t send data to other medical professionals in unsecured text messages. Any patient data needs to go through a secure channel, such as a secure email account.   
  • Get permission from patients before you send their PHI through texts. A notable exception to HIPAA’s data security requirements is that you can send a patient texts containing their PHI if they understand the risks involved and have signed a waiver. 
  • Consider installing HIPAA-compliant text messaging apps. Standard text messaging services aren’t HIPAA compliant, but there are specialized apps that comply with all of HIPAA’s security requirements. 

By developing new messaging habits, you can keep your patient data secure while using text messaging. Ensuring that every communication channel you use to send PHI is secure is the first step to HIPAA compliance.   At JotForm, we can help you take your HIPAA compliance a step further. By using our HIPAA-compliant online forms, you can gather the patient information you need while still following legal requirements. Contact us today to learn more.

This article is originally published on Aug 17, 2020, and updated on Jul 05, 2021.
AUTHOR
Firm believer in personal data privacy in the age of information. Close follower of the new regulations concerning patient confidentiality & HIPAA. You can reach George through his contact form. The views stated herein are for discussion only, and are not intended to constitute medical advice or any other advice, procedures, or guidelines for diagnosing or treating any medical condition or for any aspect of the practice of medicine.

Send Comment:

JotForm Avatar
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Comment:

Podo CommentBe the first to comment.