Text messaging is a mainstay among the general public, and it’s now gaining ground among healthcare providers as a more efficient method of communication among colleagues than the pagers of old – or spending valuable time on hold waiting to reach another provider about an urgent care matter. But ordinary text messaging tools aren’t sufficient to meet strict regulations requiring providers to maintain patient privacy and secure personal health information. HIPAA-compliant texting has emerged as a solution to enable healthcare providers to leverage modern communication tools without sacrificing patient security.
Definition of HIPAA Compliant Texting
HIPAA compliant texting refers to the use of messaging applications or tools that meet the requirements set forth by HIPAA regarding the safety and security of protected health information (PHI). HIPAA’s requirements include encryption, authentication, and security protocols. However, even if a tool is designed to meet HIPAA standards, the ultimate responsibility for compliance falls on the user, meaning that users must still keep privacy and security in mind when sending or receiving information via text messaging.
Benefits of HIPAA Compliant Texting
Several studies have found a growing prevalence in the use of text messaging to communicate both routine and urgent patient-related information with colleagues. One study published in Surgical Innovation in June 2018 surveyed 62 academic staff surgeons to determine their communication preferences for urgent and routine patient information. Email was found to be the preferred method of communication with other staff surgeons for routine patient information (54.9%), but 62.7% preferred texting to communicate with trainees. Participants cited several reasons for their preference for texting:
- Fast (65.4%)
- Convenient (69.2%)
- Allows the transmission of information to multiple recipients simultaneously (63.5%)
The majority of respondents said they feel that texting enhances patient care (71.5%), while around half said they believe it enhances educational experiences for trainees.
Other benefits of HIPAA Compliant texting include:
- A faster communication cycle
- The use of delivery notifications and read receipts to boost accountability
- Better collaboration, which can aid in speeding admissions and discharges, as well as the overall delivery of care
- When integrated with EHR, HIPAA compliant texting can be used to provide EMR alerts, reduce medication errors, and decrease the incidence of other patient safety incidents
Challenges of Text Messaging in Healthcare
Notably, the majority of respondents in the study reported in Surgical Innovation said they believe that texting identifiable patient information is a breach of patient confidentiality.
Another study, published in the June 2016 issue of Surgical Innovation, found that 66% of general surgery residents surveyed at a large Canadian medical school did not know if their hospital had a texting-related policy (66%). All of the residents responding to this survey reported using texting for patient-related communication; in fact, texting was the most common method (41%) residents reported using to communicate routine patient-related information with staff physicians. However, 11% did not have a password on their device, and most (89%) did not have encrypted devices.
With ordinary text messaging, data is not typically encrypted, and there is no definitive way to ensure that text messages aren’t sent to the wrong number. In the healthcare setting, sending a message containing PHI to the wrong number means violating a patient’s privacy. Plus, text messages are typically stored on the service provider’s server, and there’s also the possibility of a lost or stolen mobile device that contains PHI. The benefits of text messaging in enhancing patient care, coupled with these challenges and the lack of knowledge among providers regarding regulations and policies, creates a clear and pressing need for HIPAA compliant messaging tools.
Best Practices for HIPAA Compliant Texting
HIPAA does not explicitly prohibit the communication of PHI via text messaging, but HIPAA rules do mandate that adequate administrative, technical, and physical safeguards must be in place to ensure the security of PHI while in transit.
The Department of Health and Human Services offers guidance for physicians and other healthcare professionals on the use of mobile devices for communication methods such as text messaging:
- Secure mobile devices with password protection
- Install and enable encryption
- Activate (or install) remote wiping or remote disabling services
- Do not install or use file sharing applications (and disable any existing file sharing applications)
- Install and enable a firewall as well as mobile security software
- Keep your security applications up-to-date
- Thoroughly research mobile applications before downloading
- Maintain physical control of your device at all times
- Avoid sending or receiving health-related information over public Wi-Fi networks (and use adequate security measures if you must)
- Ensure that all health-related information is deleted before discarding or reusing the mobile device
Implementing a secure messaging system is the first step for healthcare organizations that want to make HIPAA compliant texting possible for providers. A HIPAA compliant messaging system should:
- Encrypt all messages
- Ensure that messages can only be sent to colleagues within the covered entity’s communication network
- Archive messages on a separate, secure server
- Allow for the implementation of remote retraction or deletion of messages for lost or stolen devices
Additionally, monitoring all user activity can help to ensure that providers are following messaging policies and best practices.
Healthcare organizations with providers utilizing text messaging to communicate patient-related information should not only utilize a HIPAA compliant text messaging application, but also develop comprehensive training programs to ensure that providers understand the internal policies, best practices, and essential safeguards when communicating patient-related information with colleagues