Ensuring HIPAA Compliance in Text Messaging

Many chiropractors and staff members find that text messaging provides quick access to the information they need to make healthcare decisions and is a convenient method for communicating with patients. But it’s important that chiropractors and staff members are cognizant of HIPAA Privacy and Security Rules when using text messaging to avoid violating them.

Typical short message service (SMS) texting does not offer the security necessary for sending protected health information (PHI). As a result, patient privacy might be compromised if unauthorized individuals can view texted data. Additionally, multiple carriers might be involved in relaying and routing text messages, messages can remain on servers in unencrypted formats, and no guarantee exists that the intended person will receive and read the message.¹ If unsecure texting results in HIPAA violations, costly penalties could ensue.

In some situations, standard text messaging may comply with HIPAA guidelines. For example, the HIPAA Journal explains that healthcare providers may send patients text messages only if the content does not include “personal identifiers” and complies with the “minimum necessary standard.”² Chiropractors also must warn patients about the risks of communicating personal information over an unencrypted channel.

To ensure HIPAA compliance in texting, chiropractic practices should use secure messaging systems and have policies and procedures in place that comply with the HIPAA Security Rule’s administrative, physical, and technical safeguards. The technical safeguards are particularly relevant to the electronic transfer of PHI via texting. These safeguards address concerns such as access controls, audit controls, integrity control, methods for ID authentication, and transmission security mechanisms when PHI is being transmitted electronically.³ Chiropractors should check with any current or future electronic record vendor to ensure the platform offers secure messaging. When evaluating potential messaging solutions or messaging apps, chiropractic practices should seek technology that offers multi-level encryption (e.g., encryption of stored data, transmitted data, and data within the application). The technology also should be capable of operating on various devices, such as mobile phones running various operating systems, tablets, and desktop computers.⁴ Other features of a secure text messaging system to consider include:

• Data storage on a secure private server with backup
• A remote option for removing/disabling the application from a mobile device in the event that the device is lost or stolen
• Automatic logout after a period of inactivity to prevent unauthorized access
• The ability to function on various wireless frequencies and Wi-Fi to avoid hospital dead zones
• The ability to track and confirm message delivery
• The ability to set a maximum message data life (e.g., 30 days)⁵

Chiropractic practices also should consider the potential benefits of comprehensive messaging systems and/or compliant text messaging apps, rather than single-purpose systems. Comprehensive messaging systems should easily integrate with the practice’s calendar, directory, customer relationship management system, single sign-on capabilities, and document-sharing service.⁶

Another consideration is selecting a messaging system that offers instant access to documents, images, and resources within conversations, so chiropractors and staff don’t have to switch apps (or context) to access critical information.

Chiropractic practices also need to determine how text messaging activities should be incorporated into their health record documentation policies. HIPAA specifies that individuals have the right to view and amend PHI used to make clinical decisions about their care, which might include information sent via text messages. Practices that allow text messaging should develop policies “requiring annotation of the medical record with any ePHI that is received via text and is used to make a decision about a patient.”⁷

Additionally, chiropractic practices also should check with payers and accrediting organizations to see whether they provide guidance or standards related to texting. For example, the Centers for Medicare & Medicaid Services (CMS) allows for texting of patient information among members of the healthcare team if a secure platform is used, but CMS prohibits texting of patient orders. Similarly, The Joint Commission does not allow text messaging to communicate patient orders.⁸

¹ Is text messaging HIPAA compliant? (n.d.). HIPAA Journal. Retrieved from www.hipaajournal.com/is-text-messaging-hipaa-compliant/

² Is texting in violation of HIPAA? (n.d.). HIPAA Journal. Retrieved from www.hipaajournal.com/texting-violation-hipaa/

³ Ibid.

⁴ Jansen, J. (2014). mHealth will drive physician demand for secure text messaging in 2014. HIT Consultant. Retrieved from http://hitconsultant.net/2014/01/08/mhealth-will-drive-physician-demand-for-secure-text-messaging-in-2014/

⁵ Ibid.

⁶ 7 Advantages of HIPAA compliant texting apps. (n.d.). Zinc. Retrieved from http://content.zinc.it/Ebook_eBook-7-advantages-of-HIPAA-complaint-texting.pdf

⁷ Greene, A. H. (2012, April). HIPAA compliance for clinician texting. Journal of AHIMA, 83(4), 34-36

⁸  Centers for Medicare & Medicaid Services. (2017, December 28). Memorandum: Texting of patient information among healthcare providers (Ref: S&C 18-10-ALL). Retrieved from  www.cms.gov/Medicare/Provider-Enrollment-and-Certification/SurveyCertificationGenInfo/Downloads/Survey-and-Cert-Letter-18-10.pdf; The Joint Commission. (2021, October 22 [updated]). FAQ: Can secure text messaging be used to communicate patient care orders? Retrieved from  www.jointcommission.org/standards/standard-faqs/home-care/leadership-ld/000002173/