The Majority of SMS Messages Violate HIPAA
There is no specific rule under HIPAA that outlaws protected health information (PHI) being sent via SMS – “Short Message Service”. However, there are a number of criteria that must be met for the use of SMS to send PHI to be HIPAA compliant.
Many SMS messages violate HIPAA rules in one or all of several ways: the information is not encrypted; the message cannot be recalled if addressed to an incorrect number; and there is a risk of the message being captured over public Wi-Fi networks. While some of these problems can be overcome, the solutions are seldom put in place.
SMS messages are routinely backed up by service providers. This is an issue for HIPAA compliance, as is the unaccountable nature of SMS messages. PHI should never be included in a message sent via SMS. HIPAA rules on this topic also concern instant messaging applications like WhatsApp, iMessage, and email.
What HIPAA says about SMS, IMs, and Email
Email, SMS, and IMs are dealt with for the most part by the HIPAA Security Rule. This rule requires a number of technical features to be in place to protect information, for example user authorizations, access logs, audit records, data integrity protections, and data transmission safeguards. Required security protocols include:
Unique log-in IDs and passwords to access the system that manages or shares PHI. This allows activity and audit logs to be created.
All devices capable of connecting to the system must have a time-out feature to log out users following a period of inactivity. This minimizes the risk of unauthorized individuals accessing data through an idle device.
PHI sent from the system must be encrypted in transit so that any intercepted message would be “unreadable, undecipherable and unusable”.
These requirements already represent a serious barrier to using SMS, IMs, and email in compliance with HIPAA. While introducing access controls and requiring users to log into systems is not overly complicated, recording and supervising online activity and ensuring sessions are correctly closed represent a greater challenge.
Encryption also represents a hurdle to compliance. An encrypted message service for use by all different actors in the healthcare sector would need to be compatible with multiple operating systems and devices. It would also require a standard decryption key. Instead of solving this problem, certain electronic communications of PHI were accorded an exemption – specifically messages between medical professionals and their patients.
Overcoming HIPAA Regulations for SMS, IMs, and Email
HIPAA regulations concerning SMS, IMs, and email can cause further confusion as they may vary across organizations, subject to their size, the type of service provided, and the amount of PHI they deal with. A solution exists to by-pass the uncertainty surrounding SMS, IMs, and email no matter the conditions of the organization involved – secure messaging.
Secure messaging functions in a similar fashion to SMS and IMs. They can be used for transmitting and receiving encrypted text messages, images, and for holding group chats. Compatible across devices and operating systems, they require a user to input a unique ID and password combination to access the service.
Security measures protect against unauthorized access through idle devices, and even prohibit copying and pasting PHI, storing PHI to an external hard drive, and transmitting PHI to third parties that are not members of the user network.
Access and behavior is recorded, time-out features are applied, and other settings protect the integrity of the data. Should a user’s device ever be misplaced or stolen, for example, administrators have the capability to remotely wipe PHI communications and block access to the secure app.
The Benefits of Secure Messaging
Using secure messaging solutions in place of SMS, IMs, and email offers a number of benefits to healthcare organizations, not least of which is support for HIPAA compliance. The ability to communicate PHI instantly allows for a much more efficient flow of information between healthcare employees and group chats can facilitate administrative tasks such as admissions or discharges.
Coupled with the use of Electronic Medical Records (EMRs), secure messaging solutions can speed up the process of updating notes and give doctors more time to consult with patients. A 2015 study from Carnegie Mellon University’s Tepper School of Business found that use of a secure messaging system reduced patient safety incidents by 27% and medication errors by 30%.