Ensuring HIPAA Compliance in Text Messaging
June 28, 2022
Reading time: 4 minutes
Many chiropractors and staff members find that text messaging provides quick access to the information they need to make healthcare decisions and is a convenient method for communicating with patients. But it’s important that chiropractors and staff members are cognizant of HIPAA Privacy and Security Rules when using text messaging to avoid violating them.
Typical short message service (SMS) texting does not offer the security necessary for sending protected health information (PHI). As a result, patient privacy might be compromised if unauthorized individuals can view texted data. Additionally, multiple carriers might be involved in relaying and routing text messages, messages can remain on servers in unencrypted formats, and no guarantee exists that the intended person will receive and read the message.1 If unsecure texting results in HIPAA violations, costly penalties could ensue.
In some situations, standard text messaging may comply with HIPAA guidelines. For example, the HIPAA Journal explains that healthcare providers may send patients text messages only if the content does not include “personal identifiers” and complies with the “minimum necessary standard.”2 Chiropractors also must warn patients about the risks of communicating personal information over an unencrypted channel.
To ensure HIPAA compliance in texting, chiropractic practices should use secure messaging systems and have policies and procedures in place that comply with the HIPAA Security Rule’s administrative, physical, and technical safeguards. The technical safeguards are particularly relevant to the electronic transfer of PHI via texting. These safeguards address concerns such as access controls, audit controls, integrity control, methods for ID authentication, and transmission security mechanisms when PHI is being transmitted electronically.3 Chiropractors should check with any current or future electronic record vendor to ensure the platform offers secure messaging. When evaluating potential messaging solutions or messaging apps, chiropractic practices should seek technology that offers multi-level encryption (e.g., encryption of stored data, transmitted data, and data within the application). The technology also should be capable of operating on various devices, such as mobile phones running various operating systems, tablets, and desktop computers.4 Other features of a secure text messaging system to consider include:
- Data storage on a secure private server with backup
- A remote option for removing/disabling the application from a mobile device in the event that the device is lost or stolen
- Automatic logout after a period of inactivity to prevent unauthorized access
- The ability to function on various wireless frequencies and Wi-Fi to avoid hospital dead zones
- The ability to track and confirm message delivery
- The ability to set a maximum message data life (e.g., 30 days)5
Chiropractic practices also should consider the potential benefits of comprehensive messaging systems and/or compliant text messaging apps, rather than single-purpose systems. Comprehensive messaging systems should easily integrate with the practice’s calendar, directory, customer relationship management system, single sign-on capabilities, and document-sharing service.6
Another consideration is selecting a messaging system that offers instant access to documents, images, and resources within conversations, so chiropractors and staff don’t have to switch apps (or context) to access critical information.
Chiropractic practices also need to determine how text messaging activities should be incorporated into their health record documentation policies. HIPAA specifies that individuals have the right to view and amend PHI used to make clinical decisions about their care, which might include information sent via text messages. Practices that allow text messaging should develop policies “requiring annotation of the medical record with any ePHI that is received via text and is used to make a decision about a patient.”7
Additionally, chiropractic practices also should check with payers and accrediting organizations to see whether they provide guidance or standards related to texting. For example, the Centers for Medicare & Medicaid Services (CMS) allows for texting of patient information among members of the healthcare team if a secure platform is used, but CMS prohibits texting of patient orders. Similarly, The Joint Commission does not allow text messaging to communicate patient orders.8
1 Is text messaging HIPAA compliant? (n.d.). HIPAA Journal. Retrieved from www.hipaajournal.com/is-text-messaging-hipaa-compliant/
2 Is texting in violation of HIPAA? (n.d.). HIPAA Journal. Retrieved from www.hipaajournal.com/texting-violation-hipaa/
4 Jansen, J. (2014). mHealth will drive physician demand for secure text messaging in 2014. HIT Consultant. Retrieved from http://hitconsultant.net/2014/01/08/mhealth-will-drive-physician-demand-for-secure-text-messaging-in-2014/
6 7 Advantages of HIPAA compliant texting apps. (n.d.). Zinc. Retrieved from http://content.zinc.it/Ebook_eBook-7-advantages-of-HIPAA-complaint-texting.pdf
7 Greene, A. H. (2012, April). HIPAA compliance for clinician texting. Journal of AHIMA, 83(4), 34-36
8 Centers for Medicare & Medicaid Services. (2017, December 28). Memorandum: Texting of patient information among healthcare providers (Ref: S&C 18-10-ALL). Retrieved from www.cms.gov/Medicare/Provider-Enrollment-and-Certification/SurveyCertificationGenInfo/Downloads/Survey-and-Cert-Letter-18-10.pdf; The Joint Commission. (2021, October 22 [updated]). FAQ: Can secure text messaging be used to communicate patient care orders? Retrieved from www.jointcommission.org/standards/standard-faqs/home-care/leadership-ld/000002173/
Additional Risk content
Accurate and thorough documentation is the backbone of a sound approach to risk management; it provides essential patient information, historical…
The Benefits of a Personal Electronic Device Policy in Chiropractic Practices
More than ever, people are using personal electronic devices (PEDs) — such as laptops, smartphones, tablets, e-readers, and other ‘smart’…
Environmental Emergency Preparedness for Healthcare Practices
Environmental emergencies — such as tornadoes, hurricanes, floods, blizzards, fires, chemical spills, radiation exposure, etc. — can have short-term or…
This document should not be construed as medical or legal advice. Because the facts applicable to your situation may vary, or the laws applicable in your jurisdiction may differ, please contact your attorney or other professional advisors if you have any questions related to your legal or medical obligations or rights, state or federal laws, contract interpretation, or other legal questions.
MedPro Group is the marketing name used to refer to the insurance operations of The Medical Protective Company, Princeton Insurance Company, PLICO, Inc. and MedPro RRG Risk Retention Group. All insurance products are underwritten and administered by these and other Berkshire Hathaway affiliates, including National Fire & Marine Insurance Company. Product availability is based upon business and/or regulatory approval and/or may differ among companies.
© 2023 MedPro Group Inc. All rights reserved.