HIPAA Texting Policy

Why You Should Have a HIPAA Texting Policy

A HIPAA texting policy is just one of a number of policies that should be developed, implemented and enforced in order to comply with the Health Insurance Portability and Accountability Act 1996. The policy for texting in compliance with HIPAA should establish the conditions under which it is appropriate to communicate Protected Health Information (PHI) by text, the acceptable method(s) for communicating PHI by text, and the sanctions that will be applied if the policy is not adhered to.

The purpose of having a policy for texting in compliance with HIPAA is so that every employee and Business Associate refrains from actions that may result in the unauthorized disclosure of PHI. The financial penalties for a breach of PHI can be substantial; so it is vital that every covered entity has HIPAA texting rules in order to prevent PHI being accidently or maliciously disclosed. It is also something HIPAA audit inspectors will look for when the OCR conducts its next round of audits.

Breaches of PHI and their Consequences

Data breaches are big business. It has been estimated that health records are worth ten times more on the black market than credit cards due to health records being used to create false identities and obtain free healthcare. Mostly only the largest breaches of PHI attract national headlines (Anthem, Premera Blue Cross, Excellus Health, etc.), but – in 2014 – the unauthorized disclosure of PHI not associated with hacking accounted for 30.7 percent of the patient health records breached.

Many covered entities will be aware that increased financial penalties for a breach of PHI were introduced in the Final Omnibus Rule of 2013. But how many are aware of the other consequences of a breach of PHI? Our infographic below illustrates what the real cost of a data breach may be, and why a policy for texting in compliance with HIPAA should be on the top of every healthcare organization´s agenda:

Prior to Developing a Policy for Texting in Compliance with HIPAA

Prior to developing a policy for texting in compliance with HIPAA, covered entities should conduct a risk assessment in order to identify where a breach of PHI might occur within their organizations and to detect any security vulnerabilities. Various tools are available from the Department of Health and Human Services to encourage covered entities to comply with this requirement of the HIPAA Security Rule – which is also a requirement of the Meaningful Use incentive program.

Any weaknesses that are identified should be addressed with the most appropriate measures to prevent the unauthorized disclosure of PHI. In certain circumstances this will involve a complete overhaul of the way in which PHI is communicated within an organization in order to comply with the administrative, physical and technical requirements of the HIPAA Security Rule. Depending on the nature of healthcare service provided by the covered entity, the changes required may be substantial.

What Should be Included in an Organization´s HIPAA Texting Guidelines?

There is no “one-size-fits-all” HIPAA texting policy, and each covered entity should determine the most appropriate HIPAA texting guidelines to achieve compliance – taking into account the characteristics of the covered entity and its environment. The development and implementation of HIPAA texting guidelines will reflect the nature of the covered entity´s business, its size, and the weaknesses identified in the risk assessment.

Typical elements of a policy for texting in compliance with HIPAA include:

  • The circumstances in which PHI can be communicated
  • Whether it is necessary for the communication to be encrypted (*)
  • How the “Minimum Necessary Standard” should be applied
  • What devices and channels can be used to communicate PHI by text
  • Whether or not a Privacy Statement needs to be included in the communication
  • The procedure for reporting misdirected text messages
  • Any other special circumstances that may apply
  • Special exceptions to the above

(*) The encryption of text messages in an “addressable” requirement of the HIPAA Security Rule. This effectively means that unless the text communication is between a doctor and patient, or it is maintained within an internal communications network that is protected by a firewalled server, the encryption of all text messages containing PHI is necessary.

Sanctions for Failing to Adhere to HIPAA Texting Rules

The importance of adhering to HIPAA texting rules should be communicated to all employees authorized to access PHI. They should be made aware that the creation, modification and transmission of PHI is monitored and an audit trail created. Although the enforcement of sanctions is not a pleasant task, if employees are aware of what penalties exist for failing to adhere to the HIPAA texting rules, there can be no complaints should an accidental or malicious breach of PHI occur.

Typically, non-adherence with the HIPAA texting rules is broken down into three classes of offence:

  • Class I offenses include accessing PHI without authorization, sharing login codes, amending PHI without authorization, texting PHI to an employee not authorized to access PHI, and failing to cooperate with a Privacy Officer.
  • More serious Class II offenses include the unauthorized use or disclosure of PHI, using another employee´s login code or – depending on the level of risk a Class I offense created – Class II offences could include the repeat of a Class I offence.
  • Class III offenses would include obtaining PHI under false pretenses and using or disclosing it for commercial advantage, personal gain or malicious harm. Repeat Class I and Class II offenses could also be included as a Class III offense – again, subject to the level of risk.

The sanctions for failing to adhere to an organization´s HIPAA texting rules can vary from a reprimand and retraining for lesser offences, to the termination of employment for more serious offences. When there are serious consequences to a covered entity due to the actions of an employee, it might also be necessary to instigate civil or criminal proceedings against the employee.

What if the Mechanisms are Not in Place to Support a HIPAA Texting Policy?

Without the other requirements of the HIPAA Privacy and Security Rules being in place, a HIPAA texting policy is superfluous. Some of the administrative, physical and technical requirements of the Security Rule have already been discussed – encryption, monitoring, audit trails and login codes – but without all the elements of HIPAA being in place, a policy for texting in compliance with HIPAA is unenforceable and the covered entity is exposed to the risks of a data breach.

The risk of a data breach has never been greater. Due to the increased use of personal mobile devices in the workplace, covered entities are exposed to risks and vulnerabilities every day. All it takes is one misdirected text message, the interception of an unencrypted text message over an open Wi-Fi service, or a stolen Smartphone for a breach of PHI to take place. Rarely is the blame for the data breach attributed to an individual. The OCR will regard the healthcare organization or other covered entity liable for failing to implement a HIPAA texting policy.

The lack of a HIPAA texting policy can also allow cybercriminals access to a covered entity´s database. In the past, hackers targeted their attacks on servers and mainframe computers. However, Smartphones and other mobile devices are now seen as easier targets and, by infecting a Smartphone with malware, a hacker can access an entire network when the Smartphone connects with it, and extract data at will.

How Secure Messaging Solutions Mitigates Risks

Some covered entities have chosen to implement a secure messaging a solution in order to mitigate the risks of a data breach – either through non-compliant text messaging or due to the efforts of a cybercriminal. Secure messaging is a method of communication that operates in a similar way to Instant Messaging, only with security features in place to enable compliance with HIPAA and prevent attacks from outside sources. The solutions are easy and inexpensive to install and operate, and help covered entities fulfil the requirements of the HIPAA Security Rule.

Secure messaging solutions work via secure texting apps. These can be downloaded and installed onto any desktop computer or mobile device – thus making them suitable for covered entities that promote BYOD policies. The apps only allow authorized users to text other authorized users within the covered entity´s network, eliminating the risk of misdirected text messages and preventing an infected Smartphone from transferring its malware onto a covered entity´s database.

Other areas in which a secure messaging solution can resolve issues surrounding HIPAA compliance include:

  • All authorized users are assigned a unique username and PIN number to ensure ID authentication and message accountability.
  • All text messages communicated through the secure texting apps are monitored and an audit trail created.
  • Secure text messages are archived in a cloud-based platform where they cannot be amended or modified without authorization.
  • Message lifespans are assigned to messages so that they automatically delete after a predetermined period of time.
  • Automatic logoff prevents the unauthorized disclosure of PHI when a desktop computer or mobile device is left unattended.
  • Administrators have the ability to remotely wipe and PIN-lock a secure texting app if the device onto which it has been installed is lost or stolen.

With a secure messaging solution in place, risk assessments find fewer vulnerabilities, making it easier for administrators to compile a policy for texting in compliance with HIPAA. As it is much harder to create a scenario in which a breach of PHI might accidently occur, it is easier for employees to adhere to HIPAA texting guidelines, and there will be fewer instances of sanctions being applied for breaking the HIPAA texting rules – reducing the workloads of administrators and HR departments.