Doctors, chiropractors, dentists and other covered entities are required by law to comply with the Health Insurance Portability and Accountability Act (HIPAA). Originally signed into law by Congress back in 1996, HIPAA is designed to protect the privacy of healthcare patients by establishing certain rules that covered entities must follow. While some of these requirements are obvious, others are more discreet.
If your healthcare practice uses text messaging services to relay information to patients or third-party organizations, there are a few things you should know regarding HIPAA compliance. First and foremost, you must ask yourself if the text message contains Protected Health Information (PHI) like patient names, phone numbers, Social Security numbers, addresses, medical billing data, etc. If it does, then it is regulated by HIPPA and the Security Rule, which pertains to all forms of Electronic Protected Health Information (EPHI).
The problem with using traditional SMS text messaging services to send and/or receive EPHI is its lack of any internal security measures. SMS was never intended to be used for the transmission or reception of sensitive data or information, so safeguards were never implemented. This means all text messages, by default, are send in plain text format, without the use of encryption or similar protective measures.
Of course, there are other challenges faced by covered entities who use SMS text messaging services to send or receive EPHI. In addition to its lack of encryption, SMS test messages cannot be authenticated by the recipient. If you send a patient a text message containing his or her medical information, for instance, the patient will not be able to verify their identify. So even if you “think” you sent the information to the correct phone number, there's no way to tell for certain since SMS text messaging lacks any form of authentication from the recipient.
And then there's the issue of EPHI being stored by the wireless carrier. When you click the “send” button, the message goes through the wireless carrier, where a copy is stored, before ending up on the recipient's device. HIPAA may view wireless carriers in this application as a business associate, in which case a Business Associates Agreement (BAA) is required.
There are ways to use text messaging in the medical field, however. Assuming it doesn't contain any sensitive information that's classified as PHI, it can be sent without regards to HIPAA. And if it does contain PHI, there are other, more secure text messaging services available, some of which are HIPAA-compliant and offer internal encryption and other security measures.