HIPAA Compliant Texting: Everything You Need To Know

The minimum fine for violating the HIPAA regulations for text messages is $10,000 for willful neglect of regulations – even if the organization corrects the problem.

Can your practice afford the fines for non-compliance?

This article will give you three things:

  1. An overview of HIPAA Compliant text Messaging
  2. Two reasons to use secure messaging
  3. Some ideas for a communication platform for your organization

Let’s get started by covering the basics of HIPAA compliance for text messaging.

The Two Main Parts of HIPAA Compliance: Security and Privacy

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) created a national set of guidelines to protect patients. Healthcare organizations in the USA must comply with these regulations in all matters concerning patient data.

For this article, we will only focus on text messages. The HIPAA guidelines do not specify what a secure text messaging platform is, or what makes a HIPAA compliant text app. Instead, they provide guidelines for patient data security and privacy across all forms of communication.

To help you, let’s review the major parts of the security and privacy rules.

HIPAA Guidelines for Security

The US Dept. of Health and Human Services (HHS) states the purpose of the security rule very clearly on their website:

The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.

So, here are the four key things every healthcare provider and professional must do to be HIPAA compliant with their text messages:

  • Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit.
  • Identify and protect against reasonably anticipated threats to the security or integrity of the information.
  • Protect against reasonably anticipated, impermissible uses or disclosures.
  • Ensure compliance by their workforce.

HIPAA compliant messaging for you and your organization means you must be able to send secure messages, protect against threats to security, prevent unauthorized access, and ensure all members of your workforce use secure messaging procedures.

Privacy Requirements to Be HIPAA Compliant

The Privacy Rule is equally important, but has slightly less relevance to HIPAA compliant chat apps and messaging apps. Here is how the HHS describes the purpose of the privacy rule:

A major goal of the Privacy Rule is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and well being. The Rule strikes a balance that permits important uses of information, while protecting the privacy of people who seek care and healing.

The focus is on the decision to share patient information rather than on the security of the platform used to communicate. However, there is one specific clause that relates to messaging apps:

For internal uses, a covered entity must develop and implement policies and procedures that restrict access and uses of protected health information based on the specific roles of the members of their workforce.

Any app or platform used for secure messaging must give your organization the ability to set user access permissions for sending, receiving, and viewing messages so that unauthorized disclosure of patient information does not occur.

Most Consumer Messaging Apps are NOT Acceptable for Protected Health Information

Most text messaging apps and chat apps are not HIPAA compliant because they do not provide the functions needed to secure and control patient information.

Here are some examples of consumer-grade apps and why they fail to achieve HIPAA compliance:

  • Zoom is a popular video conferencing app. While video is a great communication tool with many healthcare applications, Zoom was not built for HIPAA compliance. Video calls do not have end-to-end encryption and access to the tools needed to make Zoom HIPAA compliant begins at $2,500 per year.
  • WhatsApp is not HIPAA compliant, either. It is the 3rd most popular messaging solution in the US for consumers, but lacks the security features to control access to patient information.
  • Facebook Messenger is the most popular messaging solution for individuals. However, it is not HIPAA compliant because it contains no security features for access control, message history, and could allow unauthorized persons to access PHI.

So, consumer apps fail because they don’t provide security on a specific device, allow messages to be sent to the wrong person, and do not provide a system for authorized users and access level permissions.

What is HIPAA compliant texting?

There are two ways to be HIPAA compliant with your messaging. The first is to use a secure messaging solution built for healthcare providers. The second is to put training and systems in place to ensure every person in your practice follows the HIPAA guidelines to send secure text messages.

Obviously, the first option is far easier than the second. Let’s talk about why you should choose the first option.

Secure Messaging that Meets the Security and Privacy Rules for Medical Professionals

When you choose a secure messaging solution, the tools you need for HIPAA should be in place. Here are the basic requirements:

  1. Secure text messaging based on encryption of data while it is being stored and being sent. 
  2. Protection of patient information by restricting access to only the intended recipient and authorized users.
  3. Prevention of unauthorized access by deploying secure data storage measures.
  4. Availability of records of sent messages and historic chats for auditing and compliance.

A healthcare messaging platform should do these things for you as a basic level of functionality. Anything less is unlikely to be compliant with the HIPAA guidelines.

Text Messages that do NOT Contain Patient Data and Avoid the Need for Security and Privacy

It is possible to send text messages that meet the HIPAA requirements without using a secure messaging app. Organizations can do this by simply removing the information about the patient and/or treatment from the message.

For example, here is how you can send messages that achieve HIPAA intent:

  • Send appointment reminders that only contain generic information, such as “This message is being sent to remind you of your appointment today at 11:30. If you cannot make your appointment, please call the office to reschedule.”
  • Obtain written permission from your patient to send and receive messages about their care. Even with this permission, someone should still remove identifiable health information from most messages because it may not be possible to verify the identity of the person using the messaging app.

So, meeting the HIPAA requirements for sending text messages may be possible without a dedicated solution, but it is restrictive and risky to rely on this method for many forms of communication.

What is a HIPAA compliant texting app?

Basically, HIPAA compliant apps and software must meet the security and privacy requirements automatically and by default. It’s possible for healthcare organizations to create internal regulations and be compliant with HIPAA regulations manually, but this is a lot of effort and vastly increases the risk of a mistake.

A HIPAA compliant texting app will make security and privacy much easier by providing automated controls.

Here are the three main ways HIPAA compliant texting apps meet the requirements.

Provides Secure Texting for Mobile Devices Automatically

A HIPAA compliant platform sends and receives messages securely. This means the sender and recipient have their identities verified and the data is encrypted before, during, and after sending.

Stores Electronic Protected Health Information Securely

Data storage is a big vulnerability for many systems. Where is your data stored? If it is stored somewhere off your premises, out of your control, how can you guarantee its security?

A secure messaging platform will store your data securely, preferably on your own premises.

HIPAA Compliant Applications Help Maintain Compliance

Now, organizations must go beyond the individual sender or message. According to HIPAA requirements, every healthcare practice must ensure compliance by providing the right system, training for staff, and through ongoing risk assessment.