Under the Health Insurance Portability and Accountability Act, more commonly known as HIPAA, there is no specific sanction regarding the use of text messaging to share Protected Healthcare Information (PHI). However, there are strict regulations that prohibit the communication of PHI via any unsecure electronic format and, as text messages are not sent or stored securely – at least not to the high standards required by HIPAA – ‘texting’ as a means of sharing confidential data is simply not an option for HIPAA covered entities.
However, given the prevalence of cellphones in healthcare nowadays, and the ease and familiarity of text messaging as a communication channel, avoiding non-secure text messaging entirely is easier said than done. There may, for example, be times when a quick text message to a colleague is the best or only available option. In such cases, it is critical that no PHI is exchanged.
More specifically, PHI that is linked based on the following 18 identifiers must be treated with special care:
- Names – this includes both first names and surnames
- All geographical identifiers smaller than a state – However, if the geographical unit identified by the first three digits in the ZIP code contains fewer than 20,000 people, these digits must be replaced with 000.
- Dates (other than year) directly related to an individual – for example date of birth, significant medical dates
- Phone numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health insurance beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers – this includes serial numbers and license plate numbers
- Device identifiers and serial numbers
- Web Uniform Resource Locators (URLs)
- Internet Protocol (IP) address numbers
- Biometric identifiers – for example fingerprints, retinal images and voiceprints
- Full face photographic images and any comparable images
- Any other unique identifying number, characteristic, or code – this excludes the unique code assigned by the investigator to code the data
The expense of failing to comply
Due to the efficiency and potential cost saving benefits, many healthcare providers have advocated a bring your own device (BYOD) policy within their organization. As a result, there is a greater temptation for clinicians to communicate with each other via non-secure messaging apps that are familiar and more convenient, but not HIPAA compliant, increasing the risk of sensitive data being lost, missent or intercepted.
An organization that commits any breach of PHI could face hefty fines of up to $50,000 per incident, per day that the breach remains unresolved, as well as additional fines from the patient(s) affected. This financial burden as well as any reputational damage suffered can be a fatal combination for small or even medium-sized healthcare facilities.
To avoid these costly repercussions, HIPAA covered entities should invest in secure tools that will not only keep PHI protected, but also streamline internal communications, accelerate workflows and enhance team collaboration. DocbookMD does all this and more. To find out more or to arrange a free trial, contact us today.