Cellphone usage has become a normal part of Americans' everyday life. According to a recent study conducted by Pew Research Center's Internet & American Life Project, 61% of people in the US own a smartphone, whereas 91% own some type of mobile phone. These devices aren't being used strictly for personal purposes either, as many people use them for work, including doctors and nurses.
Revisions made to the Health Insurance Portability and Accountability Act (HIPAA) have focused on the implementation of technology. The Department of Health and Human Services (HHS) is fully aware that healthcare providers are using computers, smartphones, tablets and other devices in their normal operations. As such, they had to include certain standards to govern the use of devices so entities aren't violating the rights of their patients or contributing to privacy violations.
So, can doctors and other covered entities text healthcare information without violating HIPAA? There are several factors one must look at to determine whether or not this practice is acceptable. If the information being texted does NOT contain any Protected Health Information (PHI), it's acceptable and not a violation of HIPAA. If the information DOES contain PHI, however, doctors must take extra steps to ensure it doesn't violate HIPAA before sending the text.
Some of the different types of identifiers associated with PHI include name, address, telephone number, FAX number, email address, social security number, medical record, health plan number, account number, license number, device serial number, biometric identifiers, full-face photo, web URLs and IP addresses.
Keep in mind that doctors may still text PHI, but only if they follow HIPAA's Security Rule. The Security Rules requires covered entities to take meaningful and appropriate measures to prevent unauthorized access of Protected Health Information. If you read through the entire document on the Security Rule, though, you won't find any specific information about texting. Nonetheless, covered entities are still required to secure any PHI transmitted via text message.
The most effective way to send PHI over a text message is by using a third-party encryption service, ensuring the information is encrypted so others can't see it. There are dozens of companies that specialize in such services. Assuming you use one of these services, you must have a Business Associates Agreement (BAA) in place, explaining what information the service provider will receive and how it will be used.