Are text messages HIPAA-secure? Five steps to text messaging security.

According to a 2015 report into smartphone usage in the U.S., 97% of smartphone owners use text messaging as a means of communication on a regular basis, making it the most widely-used mobile feature of all. With these numbers in mind, it is clear to see why organizations are embracing text messaging as a way of improving communications both internally and externally.

In healthcare environments, the benefits of text messaging are well documented. Unlike traditional methods of communication, such as paging, which typically only offer one-way communication and rely on a host of external factors to work effectively, text messaging offers flexible two-way communication, which can be used to communicate with entire care teams quickly and efficiently.

But despite the many benefits of text messaging in healthcare, it is not risk-free. Since text messages can be accessed by anyone who has access to a mobile device, it is easy for the information contained within non-secure text messaging applications to fall into the wrong hands, should the device be lost or stolen. Whatsmore, text messages sent via most standard messaging apps are unencrypted so they can easily be intercepted during transit.

Identifying the risks
The greatest risk to a healthcare organization that allows text messaging is a breach of protected health information, which carries a s significant fine. A single breach comes with a fine of up to $50,000 per vulnerability, per day that the breach goes unremediated. A PHI breach also exposes the organization to civil charges by the affected patient or client. Either of these actions could devastate a small practice.

To avoid fines and other ramifications, text messaging should be addressed under the HIPAA security rule, as part of an organization’s risk analysis and management strategy.

A healthcare provider should:

  1. Establish where ePHI is created, received, maintained, and transmitted. In the case of text messages, it is mobile phones but these could also be stored on workstation software or in the cloud.
  2. Identify and record any anticipated threats, and the likelihood of these threats. Examples may include:
    • Loss of theft of device
    • Improper disposal of device
    • Interception of ePHI by unauthorized persons
    • Availability of ePHI to persons other than the mobile device owner

Five steps to messaging security
Every organization will identify its own level of risk, and as such there is no one-size-fits-all approach to implementing a secure text messaging strategy. It is therefore important to consider the results of risk analysis and take the appropriate steps the manage text messaging security.

This will generally include a range of administrative, physical, and technical safeguards, such as:

1. Pause all text messaging – Ask all staff to put a halt to using text messages until risk reduction policies are in place. Consult a legal team, if necessary, and inform patients that the hiatus is to protect their privacy.

2. Encrypt all devices – Encryption is a key practice, whether your organization is texting patients or not. This practice is paramount in a healthcare setting because it reduces the risk of unauthorized parties accessing confidential data on mobile devices.

3. Implement policies – Establish a workplace policy that outlines details of who is authorized to send and receive clinical text messages, and what the nature of those text messages should be. It might be worth consulting a legal industry professional to ensure the policy reflects state laws.

The policies could help to regulate security procedures, such as, deletion of all text messages after a given period of time, ability to remotely disable or wipe mobile devices if they are lost or stolen, and password protection. All staff should be trained to follow policies and procedures and be made aware of the possible sanctions that will be imposed if they are violated.

4. Develop a statement of understanding – Healthcare organizations that use text messages to communicate with patients should clearly outline that patients have a the option to choose a preferred method of communication. If a secure text messaging platform is not in place, patients must be informed of the risks that exist in using unsecured messaging. A statement of understanding document should be reviewed and resigned by patients every 12 months.

5. Consider a secure messaging platform  – Unlike regular text messaging, secure messaging platforms ensure messages are encrypted, and sent through a secure server. These platforms generally store data in the cloud, or on an encrypted server as opposed to individual mobile devices. Messages can then be moved to EHR, printed, archived, as and when required.

These steps should serve as a good starting point to begin safeguarding your organization from the potential security risks of text messaging. It is important to fully assess whether text messaging is a suitable method of communication, and make sure comprehensive guidelines are not only in place, but that they are also understood, and implemented by all employees.

For more information, The U.S. Department of Health and Human Services provides extensive advice and suggestions regarding mobile devices and text messaging in healthcare organizations on its website.