HIPAA Compliant Text Messaging – Best Practices and Policies

Use of text messages or short message service (SMS) has significantly increased as a communication tool in the health care environment. Health care providers are communicating by text with patients and with other health care providers. It is a fast, convenient way to communicate and collaborate. With the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act enforcement environment, it is important to be aware of the risks associated with texting and to develop the proper use of safeguards and policies to mitigate adverse legal consequences.

What Are the Compliance Regulations?

The HIPAA Security Rule requires organizations to address text messages as part of their comprehensive risk analysis and management strategy. Based on the risk analysis, the organization must determine the appropriate administrative, physical and technical controls to mitigate the risks of sending Electronic Protected Health Information (ePHI) via text messaging.

In order to determine the technical security measures necessary to comply with this standard, covered entities must review the current methods used to transmit ePHI. The covered entity must then identify the available and appropriate means to protect ePHI as it is transmitted, select appropriate solutions and document its decisions. The Security Rule allows for ePHI to be sent over an open, electronic network as long as it is adequately protected.

Another area of compliance impacted by texting is the HITECH requirements for breach notification. The HIPAA Final Rule states that “breach” is defined as the acquisition, access, use or disclosure of PHI in a manner not permitted by the HIPAA Privacy Rule which compromises the security or privacy of such information. Devices used for texting, such as smartphones and tablets, may be lost or stolen, so the importance of ensuring HITECH compliance in the event of a breach is an area that must be reviewed in the context of text messages that may reside on the compromised device.

What Are the Risks?

  • Security: Texting medical orders may violate HIPAA if the system does not restrict access, protect its integrity and prevent unauthorized access to protected health information (PHI). Most text messaging systems do not include measures such as encrypting, sender/receiver authentication and are stored in unsecure servers. If a phone is lost or stolen, a password is decoded or the text is accidentally forwarded to a personal contact, PHI may be exposed.

  • Sender and receiver authentication: Text messages do not allow the recipient to verify the identity of the person sending the text which could lead to fraudulent orders. In addition, if the sender mistypes the receiver’s phone number, there is no way to verify the intended recipient or confirm that the message was received. If cellular service is not available, the message may not transmit.

  • Documentation: There is no mechanism to store the original message to validate what should be transcribed into the medical record.

  • Order clarity and completeness:

    • Abbreviations and acronyms are often used in text messages which can lead to miscommunication of orders;

    • Free texting and lack of drop-down menus can result in misspelling the drug or patient name leading to the wrong drug dispensed or wrong patient name entered;

    • Autocorrection on cell phones may result in incorrect entries;

    • Voice recognition technology may cause transcription errors in the text message.

  • No clinical decision support: Orders that are sent via text message bypass the clinical decision support and alerts provided by computerized prescriber order entry (CPOE) systems which often take into consideration the patient’s current medications, medical conditions, age, weight and allergies. Many CPOE systems also provide prompts to prevent incomplete orders from being entered.

  • Transcription errors: Texted orders must be transcribed manually by nurses or pharmacists into the patient’s electronic medical record which increases the risk of errors. In addition, a delay in order transcription could result in a delay in patient care.

  • Distractions from incoming texts or phone calls: Cell phones constantly receive simultaneous messages at once from multiple sources such as calls, texts, social media notifications, emails and other alerts which can be very distracting when attempting to compose a medical order via text.

What Are Some Best Practices?

Consider the following best practices to have in place before allowing text messages to be sent or received by providers who work in your organization:

  • Ensure all mobile devices are secure: The first priority must be to ensure the security of every device used to send and receive mobile text messages that contain PHI. Identify all the mobile devices that providers are using within the organization and how you are keeping track of them. Your health care organization should have a policy that either forbids the use of personal mobile devices for work-related reasons or which requires those mobile devices to be securely encrypted by your facility prior to being used for text messaging. Mobile encryption software is critical to reduce the risks associated with sending text messages on mobile devices, particularly when it comes to preventing unauthorized users from accessing a patient’s health care or financial information.

  • Establish texting policies: In addition to encryption standards, it’s important to set guidelines for the type of health care information that may be shared via secure text message, who should send and receive such texts, and on which mobile devices.

  • Educate staff about your texting policies: Because violations of secure text message policies or the inability to put the safeguards in place can compromise patient safety, it is important that all health care staff involved with sending or receiving text messages be trained on texting policies, the types of content used in text messages and how to ensure that text messages containing health care information are sent securely.

  • Use a third-party, HIPAA-proof, secure texting solution: Engage secure text messaging applications and technology that enables secure, encrypted communication between doctors, nurses and other health care providers. It should connect your organization with health care workers inside and outside of your facility – even if they aren’t part of your organization.

  • Establish a policy on whether to allow providers to text patients: Patients are unlikely to have encrypted mobile devices, so a text sent to a patient may not be secure based on the patient leaving the mobile device unattended. As a result, the text message could be viewed by someone other than the recipient, and the provider might unwittingly compromise the patient’s privacy.

  • Communicate your policy to patients: Whether or not patient communication is part of your texting policy, be sure to inform patients about how their health care information will be used. The texting policy can be part of the HIPAA acknowledgment that patients sign, and it is also the chance to let patients know that the health care provider takes patient security seriously and that only secure, encrypted text messages will be sent.

  • Ownership of messages: It’s important to make clear that all messages transmitted by employees of your health care organization are the property of your organization and not of the individual providers who are sending receiving the messages.

  • Segregate health care texting from personal texting: In health care environments, it can be a critical problem. Anyone can pick up a nurse’s phone and read his personal text messages. Healthcare-related text messages and communications have to be kept separate from personal messages.

  • Require special authorization and authentication for accessing messages: There’s no use keeping health care and personal messages in different places unless the health care messages are secured with strong authentication requirements. Users should be enrolled in their organization’s secure text messaging service through a personal invitation process, and their access to messages should be password-protected. These measures ensure that messages are read by the people they are sent to: not their friends, kids or colleagues. This is a key element of HIPAA’s Security Rule. (See DrFirst for more information)

What Does Your Policy Say?

The below are proposed policy considerations for text messaging. (See the CIO’s Guide to HIPAA Compliant Text Messaging).

Policy: Text Messaging

The scope of an effective policy pertaining to the use of text messaging must apply to the organization in its entirety, including all employees, physicians and affiliates. In addition, some third parties, including contractors and vendors, may be required to abide by parts of the policy if required by the organization through a Business Associate Agreement (BAA). Further, the policy must apply to the network, systems and applications that process, store or transmit ePHI or other sensitive information.

A policy for secure text messaging should include the following key statements, which establish the minimal requirements for the organization:

  • Text messages are electronic communications sent with a mobile device or computer system. Text messages can transmit photos, videos and written word formats of communication. If the content of such a message contains ePHI, then the text message must comply with HIPAA requirements.

  • All text messages containing ePHI must be sent in a secure, encrypted and approved format.

Policy Statement:

Users should not send text messages containing ePHI unless the text message is encrypted both in transit and at rest using an appropriate application. Additionally:

  • The text message must be communicated from the sending device, through the mobile provider or a software application to the recipient’s device in an encrypted manner.

  • The encrypted text message should not be decrypted and stored on the cellular provider’s systems in ways that can be accessed by unauthorized personnel.

  • If an employee wishes to send ePHI via text message to another employee, both the sender(s) and the receiver(s) must fulfill both the encryption requirements for the message in transit and at rest.

  • All users who wish to send or receive text messages containing ePHI must ensure that the IT-approved secure text application is approved by the IT department for such purpose. Specific requirements include:

    • The employee must submit their mobile device number with the help desk or the IT department to ensure that proper inventory is maintained of all mobile devices sending or receiving ePHI.

    • Mobile devices used to text ePHI must be properly sanitized upon retirement of the device. The IT department must securely wipe all mobile devices when they are returned. If an employee is using a personal device, they must contact the IT department to securely wipe the device prior to returning it to their cellular provider.

An effective policy for the use of secure text messaging should mandate that the following safeguards be implemented by employees sending and/or receiving messages:

  • The mobile device or secure texting application must be password protected; this feature must never be disabled.

  • The mobile device must be configured to lock automatically after a period of inactivity (not to exceed 5 minutes).

  • All text messages containing ePHI should be limited to the minimum information necessary for the permitted purpose. Multiple identifying factors (e.g., full name, date of birth, medical record number, social security number or condition specific information) should not be used.

The following seven guidelines must be followed when texting PHI. Ensure the accuracy of the information being texted by administering the following precautions:

  • Confirm the recipient of your text

  • Confirm delivery and receipt of the text. A confirmation receipt that the information was received is ideal.

  • Do not use shorthand or abbreviations

  • Review texts prior to sending to ensure accuracy. Beware of autocorrect functions.

  • Do not text patient orders

  • ALL text messages (or annotations of text messages) that are used for clinical-decision making are documented in the medical record

  • Delete all texts containing ePHI as soon as the information is no longer readily needed

Other policy statements to consider and adopt based on your organization’s compliance mandates, include:

  • Report all unencrypted text messages that are received or sent out that contain any ePHI immediately to the HIPAA Security Officer or the IT Department all text messages that are sent to the wrong intended individual to the HIPAA

    Security Officer or the IT Department

  • Every policy and procedure revision/replacement will be maintained for a minimum of six years from the date of its creation or when it was last in effect, whichever is later

  • Log-in audit information and logs relevant to security incidents must be retained for six years

Are You Ready?

There are clear roadmaps now for your organization to adopt texting policies and be in compliance with the application regulations. There are a multitude of potential benefits from a comprehensive messaging system and many companies that can assist with implementing a system with proper safeguards. With proper education and training, text messaging can provide access to health care and streamline the patient care process among other advantages. If you’d like guidance, please give me a call and meet with your organization and IT department to discuss the next steps to take to implement a messaging system.

NOTE: Please consider attending and/or sponsoring the 2019 Annual Conference of the American Assisted Living Nurses Association (AALNA). The event is July 18-19, 2019 in Milwaukee, Wisconsin. I have been blessed to serve as the legal advisor for many years and experience the AALNA optimize its goal to promote safe, effective and dignified nursing practice in assisted living. With more than one million older adults residing in assisted living communities and given the actual and potential increase in the nature and intensity of their health and personal care needs, the demand for licensed nurses in this domain is making assisted living one of the fastest growing segments in the nursing spectrum. Please visit www.alnursing.org for more information.

Rebecca Adelman is an entrepreneur, influencer, thought leader and founder of Adelman Law Firm, a Women’s Business Enterprise National Council (WBENC) certified Women Business Enterprise (WBE) established in 2001. For nearly 30 years, Rebecca has concentrated her practice in insurance defense and business litigation. The firm’s practice extends through the tri-states of Arkansas, Mississippi and Tennessee. Rebecca’s insurance defense practice includes representation of insurance companies and long‐term care providers and their insurers, both regionally and nationally. She also provides consulting services and educational programming to health care professionals and business associates. She has active practices in the areas of general liability, professional liability, premises, and employment law. She is a listed mediator serving all areas of business and healthcare litigation. Contact Rebecca at rebecca@adelmanfirm.com, and visit www.adelmanfirm.com and www.rebeccaadelman.com.

Rebecca Adelman