Is Texting in Violation of HIPAA?


The Financial Penalties for Breaches of PHI

Healthcare organizations that fail to prevent employees texting in violation of HIPAA expose themselves to the risk of civil action and substantial fines. Any breach of PHI that results from a misdirected or intercepted text, or the loss of a mobile device, can have serious financial consequences – particularly as safeguards exist in the HIPAA Security Rule to prevent these scenarios from occurring.

It is also a requirement of the HIPAA Security Rule that healthcare organizations appoint individuals to conduct risk assessments to identify potential vulnerabilities in the way PHI is communicated. The risk assessments should lead to the development, implementation and enforcement of policies that stipulate how PHI is to be communicated – either by text or any other electronic method.

Our infographic below shows the financial penalties for breaches of PHI that can be imposed by the Department of Health and Human Resources´ Office for Civil Rights (OCR). As there is no justifiable excuse for failing to implement a HIPAA compliant secure messaging policy, healthcare organizations can expect to be issued with the maximum fine for failing to prevent employees texting in violation of HIPAA.

When is Texting in Violation of HIPAA?

Text messages that contain PHI – either in the body of the message or as an attachment – have to comply with the administrative, physical and technical safeguards of the HIPAA Security Rule. The exception to this rule is when medical professionals text patients directly, provided they adhere to the “Minimum Necessary Standard” as defined in the Privacy Rule.

The most relevant safeguards that determine “when is texting in violation of HIPAA?” are those found in the technical section of the HIPAA Security Rule. These include ID authentication, audit controls and transmission security to prevent the unauthorized disclosure of PHI when patient data is being transmitted electronically. Among the requirements are:

  • Those with authorization to communicate PHI must authenticate their identities with a unique username and PIN.
  • A system must be implemented to monitor the activity of text messages containing PHI and ensure message accountability.
  • Data transmitted beyond an organization´s internal firewall must be encrypted so that it is undecipherable if intercepted in transit.

Without these minimum standards in place, texting is in violation of HIPAA whenever a text is sent containing PHI. This has become a significant problem for healthcare organizations due to the increased use of personal mobile devices in the workplace. With an estimated 80% of medical professionals now using personal mobile devices, there is a significant risk of a data breach via unsecure communication channels.

Texting PHI by SMS or IM in Violation of HIPAA

Two such unsecure communication channels are “Short Message Service” (SMS) or “Instant Messaging” (IM). Without ID authentication, anybody could pick up an authorized user´s Smartphone use it to send a message – or indeed edit a received message before forwarding it on. The message contained PHI, it would constitute texting in violation of HIPAA.

Senders of SMS and IM text messages have no control over the final destination of their messages. Messages without accountability could be sent to the wrong number, forwarded by the intended recipient or intercepted while in transit. Furthermore, copies of SMS and IM text messages remain indefinitely on service providers´ servers where they can be accessed without authorization.

Other requirements of the Security Rule create further issues regarding SMS and IM text messages. For example, most messaging apps have no automatic log-off facility. If a mobile device is left unattended, is lost or stolen, there is a significant risk of the unauthorized disclosure of PHI. “Snooping”, loss and theft accounted for 70% of all major HIPAA violations in 2014:

Prevent Texting in Violation of HIPAA with a Secure Messaging Solution

Secure messaging solutions resolve texting violation issues by complying with all the administrative, physical and technical requirements of the HIPAA Security Rule. Text messages containing PHI are communicated via secure messaging apps that function in the same way as commercially available messaging apps in order to ensure 100% uptake of the apps and ease of use.

Once logged into the app, authorized users enjoy the same speed and convenience as SMS or IM text messaging, and are able to add attachments such as images, documents and video to their messages. Authorized users cannot copy and paste encrypted data or save PHI to an external hard drive, and all activity on the network is automatically monitored and logged to ensure 100% message accountability.

ID authentication, message accountability and transmission security are assured with a secure messaging solution, while issues such snooping are eliminated due to an automatic logoff security feature; and, in the event that a personal mobile device is lost or stolen, administrators have the ability to remotely wipe all content sent to or created on the app and PIN-lock the app to prevent the unauthorized disclosure of PHI.

The Benefits of Secure Messaging

In addition to preventing employees texting in violation of HIPAA, there are numerous advantages of secure messaging. Due to the security features that ensure message accountability, phone tag – acknowledged as a major drain on a healthcare organization´s resources – is virtually eliminated. Our case study from the Salt Lake County Adult Detention Center shows how twenty RNs at the facility cumulatively saved 8-12 hours per day due to secure messaging.

The accelerated flow of communication also increases the speed at which hospital admissions and patient discharges can be managed – North American Medical Management saving thirty inpatient beds per month – and the group messaging facility also fosters collaboration. When integrated into an EMR, patient behavior can be documented faster with a secure messaging solution (a requirement of Meaningful Use Stage II) as can the tracking of responses to patient generated messages (a requirement of Meaningful Use Stage III).

The integration of secure messaging solutions with EMRs has also been shown to reduce patient safety incidents, and the cloud-based platforms through which secure messages are sent can be used as part of an emergency disaster plan – as happened when a two-hour power outage struck Optimal Health Services and authorized users were able to use their personal mobile devices to replace the facility´s answering service.

Secure Texting and Pharmacies

One of the scenarios in which the unauthorized disclosure of PHI is highly likely is the communication of PHI between medical professionals and pharmacies. Practically every communication between medical professionals and pharmacies contains information which, if a text were to be misdirected or intercepted, would lead to a breach of PHI.

Delays due to phone tag while a prescription is confirmed or a query resolved can be time consuming and a source of frustration for patients who have to wait while these issues are resolved. With a secure messaging solution the time it takes to fill scripts can be reduced by 50% – as was demonstrated at Orange County Community Clinics and the Carvajal Pharmacy without any risk of texting in violation of HIPAA.

Pharmacies are subject not only to HIPAA regulations, but also to DEA regulations under the Controlled Substances Act. With a secure messaging solution – and a HIPAA compliant secure messaging policy to guide employees on when to use the solution – all parties can benefit from accelerated communications without the risk of a data breach and spend more time attending to the needs of their patients.

Support a Messaging Solution with a HIPAA Compliant Secure Messaging Policy

The benefits of a secure messaging solution can only be achieved when a HIPAA compliant secure messaging policy is in place to prevent employees texting in violation of HIPAA. The policy should be based on the healthcare organization´s risk assessment and contain the conditions under which it is appropriate to communicate PHI by text, the process of communicating PHI by text (i.e. via secure messaging apps), and the sanctions that will be applied if the policy is not adhered to.

Due to there being different risks and vulnerabilities for each healthcare organization, there is no standard policy to prevent texting in violation of HIPAA. A HIPAA compliant secure messaging policy will have to be developed and implemented taking into account the operations, the characteristics and the environment of the healthcare organization. Enforcement through sanctions is also an essential part of a HIPAA compliant secure messaging policy.

Sanctions for texting in violation of HIPAA will depend on the severity of the offense and the likely outcome. If there is likely to be little risk of a data breach, a sanction might be a reprimand or further training. When texting in violation of HIPAA results in a significant outcome, the termination of employment might be more appropriate. When a healthcare organization is faced with serious legal consequences due to the inappropriate actions of an employee, it might also be necessary to instigate civil or criminal proceedings.

Eliminating Mobile Device Hacking with Secure Messaging

In the infographic above, hacking accounted for 7% of major HIPAA violations in 2014 – and that percentage is increasing despite an increase level of IT security in healthcare organizations. Whereas previously cybercriminals would focus their attentions on servers and mainframe computers, there is a growing trend for hackers to target the weakest point in a healthcare organization´s defense – its employees.

The value of PHI on the black market can be as much as ten times higher than a stolen credit card. By conducting phishing exercises, by getting an unsuspecting employee to download an infected app or by introducing malware via an unprotected Wi-Fi service, a hacker can access an entire network when a compromised mobile device connects to the network and extract a significant volume of data.

As secure messaging apps are an isolated service on a mobile device, any infection or malware that has been installed cannot be transferred via the secure messaging platform to other authorized users´ devices or the organization´s computer system – eliminating violations of HIPAA due to mobile device hacking.

Speak with TigerText about Secure Messaging Solutions

TigerText is the leading provider of secure messaging solutions to prevent texting in violation of HIPAA. More than 5,000 healthcare facilities – including four of the top five largest for-profit health systems in the country – have implemented TigerText to comply with the administrative, physical and technical safeguards of the HIPAA Security Rule, and our servers currently process more than ten billion secure messages each year.

TigerText helps healthcare organizations to prevent employees texting in violation of HIPAA or spreading malware from an infected personal device. Our secure messaging solutions also help to increase productivity, enable medical professionals to streamline their workflows and enhance the standard of healthcare delivered to patients – at a 40% lower cost than many non-compliant text messaging alternatives according to a study conducted by HIMSS Analytics.

If you would like to know more about TigerText´s secure messaging solutions – or have questions about a HIPAA compliant secure messaging policy – you are invited to contact us and request a free demonstration of TigerText in action. The demonstration will illustrate how TigerText works and how the security features that come as standard on a secure messaging app help to prevent texting in violation of HIPAA.