Is Text Messaging Patient Information HIPAA Compliant?

Written by Arianna Etemadieh, Inbound Marketing Specialist at Paubox

Considering the usefulness of smartphones, it’s no surprise that many people rely on them. Whether it’s for checking emails, searching a quick inquiry or actually making a phone call, smartphones are out and about more often than not.

With that said, wouldn’t it be convenient to get answers from your doctors via text?

Unfortunately, there’s a few reasons that doesn’t happen, namely due to keeping your personal health information (PHI) in compliance with HIPAA.

But is there any exception to texting PHI? As it turns out, there is.

There are certain circumstances where texting healthcare information is allowed. These circumstances were first outlined in a December 18 report from the Health Care Compliance Association (HCCA).

However, the HCCA’s initial report led to some concerns about the Centers for Medicare & Medicaid Services’ (CMS) policy. This led to the CMS issuing a memorandum on December 28, 2017 to clarify its position on text messaging healthcare information.

In summary, only members of a healthcare team are allowed to communicate patient information through text messaging using a secure, encrypted HIPAA compliant messaging platform like OnPage. But physicians and other authorized healthcare providers cannot text patient orders.

As a result, according to the CMS, your physician cannot text you your treatment plan. If they do, they will have committed a HIPAA violation.

The reason texting orders are prohibited is because it fails to comply with the CMS’ Conditions of Participations (CoPs) and Conditions for Coverage (CfCs) that requires health care organizations to maintain complete medical records and keep them properly filed for five years. A complete medical record includes all notes from nurses and healthcare practitioners.

Beyond clarifying their text messaging policy, the CMS memorandum also noted that a computerized provider order entry (CPOE) is the preferred method for provider order entry. These policies, and their clarifications, are effective immediately.

In a statement to state survey agency directors, CMS Survey and Certification Group Director David R. Wright wrote, “In order to be compliant with the [Conditions of Participation (CoPs)] or [Conditions for Coverage (CfCs)], all providers must utilize and maintain systems/platforms that are secure, encrypted, and minimize the risks to patient privacy and confidentiality as per HIPAA regulations and the CoPs or CfCs.

It is expected that providers/organizations will implement procedures/processes that routinely assess the security and integrity of the texting systems/platforms that are being utilized, in order to avoid negative outcomes that could compromise the care of patients.”

Concerning the use of texting in healthcare, Wright added, “CMS recognizes that the use of texting as a means of communication with other members of the healthcare team has become an essential and valuable means of communication among the team members.”

Again, per statements from the CMS, one healthcare provider cannot simply send a text message from their phone to another healthcare provider and assume they are being HIPAA compliant. The messaging platforms they use must be encrypted and HIPAA compliant.

Standard text messaging services typically do not meet the security standards enforced by HIPAA. This is because the messages sent and received are stored by the service provider. Furthermore, the messages can be intercepted or illegally accessed by unauthorized users if a mobile device is lost or stolen.

For example, while Apple protects messages sent in iMessage with end-to-end encryption, if users backup their devices with the iCloud, the iCloud will store all of their messaging content. Not only can Apple access the iCloud contents if legally required to do so (as stated in their Terms and Conditions), hackers can gain illegal access as well.

As a result, if healthcare providers want to be able to text message patient information, they must find a HIPAA compliant messaging service to secure their messages.

However, healthcare organizations need tools in addition to HIPAA compliant messaging. Healthcare providers also need tools like encrypted email from Paubox.

Ultimately, protecting patient information is the utmost priority. Always make sure your communication platform is secure and encrypted.

About Paubox

Paubox is redefining secure email by making it easy for users. No plugins, no passwords, no extra steps. Just secure email for senders and recipients. Paubox is based in San Francisco, CA.