HIPAA Social Media and Texting Guidelines

Last year, Deven McGraw of the Department of Health and Human Services’ Office for Civil Rights (OCR) spoke about 2017’s HIPAA guidance. In 2016, the Joint Commission revised their position by allowing the use of text messages for orders, but this was quickly banned again. Later that year the Joint Commission again changed the ruling by permitting the use of secure text messaging platforms for communication between doctors, however text messages – even over a HIPAA compliant platform – would not still not be permitted.

The OCR is often asked about how HIPAA rules apply to text messages and Mr McGraw gave assurances that further guidance was forthcoming.

Speaking with Information Security Group Media, he went on to say “there are a lot of questions whether covered entities can text with patients and whether employees within covered entities can text one another, or text covered entity to covered entity, covered entity to business associate, or covered entity to public health department”.

The OCR committed to clearing up the issue of how text messaging could be used between doctors, healthcare organizations, and to patients, as well as when use of text messages would violate HIPAA Rules.

2016 saw a number of accidental disclosures of protected health information (PHI) occur on social media. Some images and videos were even deliberately posted.

Even though most healthcare employees are aware of what is and is not compliant with HIPAA, particular guidance related to the use of social media was promised by the OCR.

There will also be an update to the OCR’s FAQ section, which McGraw described as “horribly out of date”.

Other areas to be improved were transparency and educating covered entities on what to expect from OCR investigators. Data breaches affecting 500 or more people are investigated by the OCR but little is widely known about how these investigations are conducted.

OCR also said they would be publishing an “Anatomy of a Case” a study of how OCR approaches an investigation and the procedures involved, to explain how CMPs are calculated and how settlements are reached using OCR’s internal criteria.