Under normal circumstances, text messaging on your mobile device is not always HIPAA compliant. Even if your organization’s employees protect their devices with passwords, their data is still at risk in the event of a loss or theft — and a data breach could leave your organization subject to significant liability and financial penalties.
So when considering a messaging solution that includes data protection safeguards in line with HIPAA requirements, what should you look for?
This article will help you understand what’s involved in a HIPAA compliant texting solution for healthcare workers and other “covered entities,” and how you should evaluate your options.
Understanding HIPAA regulations
HIPAA is a federal law that was put in place in 1996 to protect the privacy of medical patients and prevent unauthorized access to their medical records and other protected health information (PHI).
The law’s regulations are intended to strike the balance of ensuring that all healthcare patients’ care teams have all of the medical information needed to provide high-quality care, while also blocking those who don’t expressly need access to patient records from gaining access. While anyone involved in a patient’s care or treatment management should have the right to access PHI, the law makes it clear that third-parties such as family members, employers, and others should only be given access if the patient provides express written consent to share their records.
HIPAA prohibits medical care providers and other covered entities from discussing or sharing patient records outside of a closed environment, such as a medical office. That includes a patient waiting room where other patients may overhear private identifiable information about other patients.
The law provides strict protocols around digital patient communication as well. Regarding electronic protected health information (ePHI), medical professionals and other covered entities are required to use secure communication channels to share medical records, data, and photos. That requires that messaging solutions should be encrypted and password protected to block outside interference.
If healthcare organizations or other covered entities are found guilty of either willfully or negligently violating HIPAA regulations, they can be liable for financial penalties for each violation, and their stakeholders can even face the risk of criminal violations including jail time.
As a healthcare provider or other covered entity, it’s important that you have a solid, HIPAA compliant technology framework in place for managing secure text messaging and other communication channels.
Who is required to comply with HIPAA?
First, what types of workers are required to put HIPAA compliance protections into place to safeguard patient data?
If you’re a doctor, nurse, therapist, or other direct health care worker, you’ve probably already been briefed by your organization of your requirements under HIPAA. But HIPAA rules also apply to a wide variety of other types of workers who interact with patient medical data, including health insurance companies, veterans’ health organizations, company health plan employees, and entities that deal with transferring or updating patient health information.
Regardless of whether you’re a direct health care provider or an employee in a related field, you’re legally bound to protect all protected health information (PHI) that you come into contact with from external exposure. PHI should be shared only with required employees at your practice or in associated practices; with the patient directly; and with any third parties to whom they have explicitly given consent.
Many employees may avoid discussing PHI with outside parties — but they don’t consider whether or not they’re inadvertently breaking HIPAA laws when texting their patients or colleagues directly. Even if they are texting the other party one-on-one, their smartphones’ default SMS solution is not likely to meet HIPAA compliance requirements.
What do you need in a HIPAA-compliant communication platform?
When discussing patient information, text messaging is not considered to be a HIPAA-compliant mode of communication by default. As a result, many health care providers ban SMS messaging as a tool for discussing patient information, either with the patient or an elected third party or with their colleagues.
Many providers and other covered entities are now doing much of their work remotely, and have embraced bring your own device (BYOD) policies. Restrictions against texting can make it difficult to effectively communicate with third parties in real-time, especially if they aren’t in a private area where they can talk on the phone.
However, text messaging can be HIPAA compliant if it meets certain safeguard requirements. These include:
The data must be encrypted while at rest and in transit
There must be controls in place for who can access PHI
There must be controls for what the authorized parties can do with the PHI
All of this means that your smartphone’s standard messaging app will generally fail HIPAA compliance tests.
When communicating with patients directly, you can use SMS messaging if you have provided a clear warning that the risk of unauthorized disclosure exists, and have obtained their documented consent to communicate via text message.
Many patients — and providers — would feel more comfortable knowing that they’ve done everything they can to reduce the risk of a data breach, however. In this case, it’s worth considering an alternative communication platform, like a HIPAA-compliant SMS messaging app.
Common use cases for HIPAA-compliant text messaging
A wide variety of healthcare providers and other covered entities, as well as their patients or customers, are likely to benefit from a HIPAA-compliant messaging solution.
A doctor might text a pharmacist with questions about her patient’s prescription — which would cover PHI that would be confidential under HIPAA
A therapist might use a secure messaging app for ongoing text therapy with his patient, combined with weekly phone calls
A patient with a chronic illness’ caregiver might text questions about the patient’s drug side effects to the patient’s care team
Two clinicians may text each other with input regarding a patient’s care coordination
A health insurance agent may text with a customer about their medical history while putting together their application for coverage
An infant’s mother may text her child’s pediatrician a photo of her child’s skin rash, seeking input on whether the rash is linked to a medical condition or allergy
A veterans’ healthcare organization employee might text a patient’s care team regarding coverage for a specific type of treatment the patient needs
In any situation where personally identifiable healthcare information may be revealed during the course of the conversation, whether between a provider and patient, colleagues in the healthcare industry, or two different providers, it’s essential to ensure that such ePHI is always securely managed to prevent the risk of unauthorized access.
Some organizations have made the difficult choice to block their employees from communicating about patient medical data by text at all — but rather than limiting employees’ digital communication methods, organizations can instead mandate that employees and the people that they’re communicating with should use a secure messaging app, which will help them remain HIPAA compliant.
By using a HIPAA compliant text solution, your organization’s employees will be able to freely share data, including text, photos, video, and audio clips, amongst one another and with their patients, all with the unified goal of providing better care and treatment plans — and you can feel secure in the knowledge that your patients’ ePHI will remain protected within a closed environment.
Evaluating HIPAA compliant text messaging solutions
Rather than send and receive SMS messages that include ePHI (electronic protected health information) on your smartphone’s default texting app, you can use a messaging application that’s designed for communicating about clinical workflows and patient care.
By downloading a mobile application that provides secure text messaging, you can set up an encrypted messaging platform that requires its own PIN to access on both the provider and the patient side. All communications should be archived on a private cloud, and separated from other data.
The text messaging solution should also include role-based permissions, with the ability to create a team account with individual member logins. If anyone’s phone is lost or stolen, the account can be locked, so that unauthorized users won’t be able to access it.
It’s also important to keep ePHI separated from personal text messages in the event of an audit or lawsuit. By separating ePHI-related messages from other personal and work-related messages on your team’s personal mobile devices, you’ll be able to ensure that private and proprietary information remains inaccessible during the course of an audit or legal investigation.
When choosing a text messaging solution that meets HIPAA requirements, you’ll also want to consider ease of use. Is the app simple and intuitive to set up? In order to implement a fully secure messaging solution, it’s important that both the provider and the patient or third-party both download and use the messaging app for all communication, so an overly complicated onboarding process will likely reduce your adoption rate.
Cost is also an important consideration when choosing a secure messaging app. You should choose a mobile application that offers the right combination of features at an affordable price that will allow you to scale its use throughout your organization, with a monthly per-user fee.
In addition to a secure messaging channel that healthcare providers and related entities can use with their colleagues or patients, iPlum offers its customers a virtual business phone line. This enables them to easily segregate their business calls and provide a professional caller ID when making outbound calls, so that their patients and business associates can recognize the number without gaining access to the user’s private phone number.
They can feel confident listing the number publicly, knowing that they will be able to tell whether they are receiving a personal or business call because their business calls can be set up with a separate ringtone. They can also set up an auto attendant call system that allows them to choose whether to take a business call or let it go to its own HIPAA compliant voicemail system. For larger healthcare organizations, providers can set up a phone tree mobile solution, with consolidating billing for the entire team.
iPlum customers can also store business contacts and patient contact information directly within a secure channel within the app, so that business contact details are not accidentally shared in the event of phone loss or theft. Additionally, they can choose to hide names for incoming calls and SMS messages to maintain their contacts’ privacy.
iPlum customers can also use iPlum’s web dashboard to send and receive HIPAA compliant fax messages from other healthcare providers and covered entities, helping them to easily send patient records to other facilities or healthcare professionals without violating HIPAA regulations.
For healthcare providers, and other organizations that deal with confidential health information, it’s important to set up affordable solutions that can help you communicate about patient care plans and medical data from wherever you are — not just in a secure office environment.
By choosing an all-in-one HIPAA compliant text, phone, and fax solution like iPlum, your practice will have the flexibility and mobility to provide high-quality care and important medical context from any location, with the confidence that your patients’ ePHI is safely protected by secure encryption.
That frees up your team to focus on providing the best medical care and treatment plans possible — without needing to worry about the constant threat of HIPAA violations.
Interested in learning more about how iPlum can meet your organization’s needs for a secure, HIPAA compliant messaging solution? Sign up for a plan today.