Is Texting in Violation of HIPAA?

Healthcare organizations that fail to prevent employees texting in violation of HIPAA expose themselves to the risk of civil action and substantial fines. Any breach of PHI that results from a misdirected or intercepted text, or the loss of a mobile device, can have serious financial consequences – particularly as safeguards exist in the HIPAA Security Rule to prevent these scenarios from occurring.

It is also a requirement of the HIPAA Security Rule that healthcare organizations appoint individuals to conduct risk assessments to identify potential vulnerabilities in the way PHI is communicated. The risk assessments should lead to the development, implementation and enforcement of policies that stipulate how PHI is to be communicated – either by text or any other electronic method.

Our infographic below shows the financial penalties for breaches of PHI that can be imposed by the Department of Health and Human Resources´ Office for Civil Rights (OCR). As there is no justifiable excuse for failing to implement a HIPAA compliant secure messaging policy, healthcare organizations can expect to be issued with the maximum fine for failing to prevent employees texting in violation of HIPAA.

When is Texting in Violation of HIPAA?

Text messages that contain PHI – either in the body of the message or as an attachment – have to comply with the administrative, physical and technical safeguards of the HIPAA Security Rule. The exception to this rule is when medical professionals text patients directly, provided they adhere to the “Minimum Necessary Standard” as defined in the Privacy Rule.

The most relevant safeguards that determine “when is texting in violation of HIPAA?” are those found in the technical section of the HIPAA Security Rule. These include ID authentication, audit controls and transmission security to prevent the unauthorized disclosure of PHI when patient data is being transmitted electronically. Among the requirements are:

  • Those with authorization to communicate PHI must authenticate their identities with a unique username and PIN.
  • A system must be implemented to monitor the activity of text messages containing PHI and ensure message accountability.
  • Data transmitted beyond an organization´s internal firewall must be encrypted so that it is undecipherable if intercepted in transit.

Without these minimum standards in place, texting is in violation of HIPAA whenever a text is sent containing PHI. This has become a significant problem for healthcare organizations due to the increased use of personal mobile devices in the workplace. With an estimated 80% of medical professionals now using personal mobile devices, there is a significant risk of a data breach via unsecure communication channels.

Texting PHI by SMS or IM in Violation of HIPAA

Two such unsecure communication channels are “Short Message Service” (SMS) or “Instant Messaging” (IM). Without ID authentication, anybody could pick up an authorized user´s Smartphone use it to send a message – or indeed edit a received message before forwarding it on. The message contained PHI, it would constitute texting in violation of HIPAA.

Senders of SMS and IM text messages have no control over the final destination of their messages. Messages without accountability could be sent to the wrong number, forwarded by the intended recipient or intercepted while in transit. Furthermore, copies of SMS and IM text messages remain indefinitely on service providers´ servers where they can be accessed without authorization.

Other requirements of the Security Rule create further issues regarding SMS and IM text messages. For example, most messaging apps have no automatic log-off facility. If a mobile device is left unattended, is lost or stolen, there is a significant risk of the unauthorized disclosure of PHI. “Snooping”, loss and theft accounted for 70% of all major HIPAA violations in 2014:

Prevent Texting in Violation of HIPAA with a Secure Messaging Solution

Secure messaging solutions resolve texting violation issues by complying with all the administrative, physical and technical requirements of the HIPAA Security Rule. Text messages containing PHI are communicated via secure messaging apps that function in the same way as commercially available messaging apps in order to ensure 100% uptake of the apps and ease of use.

Once logged into the app, authorized users enjoy the same speed and convenience as SMS or IM text messaging, and are able to add attachments such as images, documents and video to their messages. Authorized users cannot copy and paste encrypted data or save PHI to an external hard drive, and all activity on the network is automatically monitored and logged to ensure 100% message accountability.

ID authentication, message accountability and transmission security are assured with a secure messaging solution, while issues such snooping are eliminated due to an automatic logoff security feature; and, in the event that a personal mobile device is lost or stolen, administrators have the ability to remotely wipe all content sent to or created on the app and PIN-lock the app to prevent the unauthorized disclosure of PHI.


Support a Messaging Solution with a HIPAA Compliant Secure Messaging Policy

The benefits of a secure messaging solution can only be achieved when a HIPAA compliant secure messaging policy is in place to prevent employees texting in violation of HIPAA. The policy should be based on the healthcare organization´s risk assessment and contain the conditions under which it is appropriate to communicate PHI by text, the process of communicating PHI by text (i.e. via secure messaging apps), and the sanctions that will be applied if the policy is not adhered to.

Due to there being different risks and vulnerabilities for each healthcare organization, there is no standard policy to prevent texting in violation of HIPAA. A HIPAA compliant secure messaging policy will have to be developed and implemented taking into account the operations, the characteristics and the environment of the healthcare organization. Enforcement through sanctions is also an essential part of a HIPAA compliant secure messaging policy.

Sanctions for texting in violation of HIPAA will depend on the severity of the offense and the likely outcome. If there is likely to be little risk of a data breach, a sanction might be a reprimand or further training. When texting in violation of HIPAA results in a significant outcome, the termination of employment might be more appropriate. When a healthcare organization is faced with serious legal consequences due to the inappropriate actions of an employee, it might also be necessary to instigate civil or criminal proceedings.

Eliminating Mobile Device Hacking with Secure Messaging

In the infographic above, hacking accounted for 7% of major HIPAA violations in 2014 – and that percentage is increasing despite an increase level of IT security in healthcare organizations. Whereas previously cybercriminals would focus their attentions on servers and mainframe computers, there is a growing trend for hackers to target the weakest point in a healthcare organization´s defense – its employees.

The value of PHI on the black market can be as much as ten times higher than a stolen credit card. By conducting phishing exercises, by getting an unsuspecting employee to download an infected app or by introducing malware via an unprotected Wi-Fi service, a hacker can access an entire network when a compromised mobile device connects to the network and extract a significant volume of data.

As secure messaging apps are an isolated service on a mobile device, any infection or malware that has been installed cannot be transferred via the secure messaging platform to other authorized users´ devices or the organization´s computer system – eliminating violations of HIPAA due to mobile device hacking.