Texting & HIPAA

Crypto Crackdown
September 4, 2019
JP Morgan Securities’ WSP Exposure
September 18, 2019
Show all

Texting & HIPAA

Does Texting Violate HIPAA?

Not exactly. That’s the opinion published by HIPAA Journal. Caveats regarding HIPAA depend on the content of the text message, who the text message is being sent to, and  the mechanisms put in place to ensure the integrity of Protected Health Information (PHI).

Misunderstandings arise because HIPAA Privacy and Security Rules are dense and open to interpretation. Moreover, the rules do not mention texting per se, but they do lay down certain conditions that apply to electronic communications in the healthcare industry.

When is HIPAA-compliant texting okay?

Texting can be compliant when:

  1. Your text does not include “personal identifiers;”
  2.  You are a doctor sending a message that complies with the “minimum necessary standard” and you have warned your patients of the risks inherent in communicating personal information over an unencrypted channel; and
  3. You have mechanisms in place to comply with the technical safeguards of the HIPAA Security Rule.

Key, of course, as any compliance professional in any industry will tell you, is to have appropriate policies and procedures in place. Standard “Short Message Service” (SMS) and “Instant Messaging” (IM) text messages, the Journal notes, often fail on all these counts. Senders of SMS and IM text messages, the Journal reports, have no control over the final destination of their messages. They could be sent to the wrong number, forwarded by the intended recipient to somebody else or intercepted while in transit. Copies of SMS and IM messages also remain on service providers´ servers indefinitely with no means of remotely retracting or deleting them.

How texting creates problems for healthcare organizations

Many healthcare (and financial) organizations have implemented BYOD (bring your own device) policies. With an estimated 80% of medical professionals now using personal mobile devices, there is a considerable risk of PHI being accessed by unauthorized personnel. Most messaging apps on mobile devices have no log-in or log-off requirements – so do not comply with the technical safeguards for HIPAA texting – and, if a mobile device is lost or stolen, there is a significant risk that messages containing PHI could be released into the public domain.

HIPAA breaches can lead to hefty fines

According to the Journal’s report, fines for a single breach of HIPAA can be as much as $50,000 per day the vulnerability is noted and not addressed.

Add to that potential civil charges from patients whose data has been exposed if the breach results in identity theft or other fraud.

Penalties per violation per year Minimum   Maximum
Did Not Know    $100        $50,000
Reasonable Cause     $1,000       $50,000
Willful Neglect – Corrected     $10,000        $50,000
Willful Neglect – Not Corrected     $50,000   $1,500,000

Compliant text processes + record archiving matters

Given the potential for costly exposures, healthcare compliance and risk management (just like their financial services compatriots) must have a clear plan to minimize exposure and maximize compliance – with an eye towards positioning their organizations in a more favorable light when the prosecutors come calling (and they will!).

Regardless of industry, no one is immune from oversight and regulatory compliance. However, a well-run compliance system can spot irregularities and give an attentive compliance team a chance to nip exposures before they get out of hand. That’s where Patrina can help. We’ve built our business based on helping organizations stay on the “straight and narrow” efficiently and cost-effectively. So, let’s talk. Call 212-233-1155 to ask about Patrina’s cost-effective, designated third-party services, our comprehensive 8-module compliance solution, and compliant data capture & file storage, and records archiving specifically designed for the healthcare, insurance, and financial services community. Be smart. Be covered.Let’s talk.