To Text or Not To Text: Texting under HIPAA

February 29th, 2016

Sending text messages under HIPAA

Sometimes, technology just sneaks up on you. Patients want to speak with you – stat – about lab results or to schedule, be reminded of, and confirm an appointment without an interminable wait in the phone queue. Patients want text messaging — which has quickly become the new normal for everyday communication — to be used routinely for their healthcare needs, as well. You hesitate, concerned not only about the appropriateness of text messaging, but the legal ramifications. These are legitimate concerns.

HIPAA unambiguously states that sending health information in a text message is a straight up violation, unless it is to a patient and a proper consent form has been signed (as discussed below). This provision applies to messages as simple as appointment reminders. If you engage in such a practice and do not document context, consideration, and patient consent, you will be in willful neglect and quite possibly assessed up to $50,000 for each text message.

Why is text messaging such a hot-button issue to HIPAA enforcers? Under what conditions can health information be sent by way of regular text messages? The good news is that you can secure text messages rather simply and not jeopardize your patients’ privacy or your healthcare practice. Please read on.

What does HIPAA explicitly say about text messaging?

HIPAA is technology neutral, and so does not directly address text messaging, email, and other forms of electronic communications with specific advice.  HIPAA does not require that anything actually be “encrypted.” But HIPAA does mandate that every organization identify where its electronic Protected Health Information (ePHI) is stored, where and how it is transmitted, and how it is accessed, among other considerations defined in the Privacy Rule to minimize the risk of a security breach.

HIPAA does imply that if it is easy to encrypt the ePHI in a text message, the choice to “not encrypt” could be seen as willful negligence and could lead to large fines.  Conversely, if the technology at your organization does not exist to encrypt text messages, or is not available due to cost, then you must decide to (1) continue sending ePHI in text messages and risk exposure, (2) prohibit the sending ePHI texts, thereby eliminating risk, or (3) allow patients to “opt in” to receiving ePHI texts after the risks have been explained, effectively transferring the risk from the organization to the patient.

Is texting really okay?

Communicating ePHI in text messages to patients and other healthcare practitioners generally leads to violations of HIPAA regulations, unless special precautions are taken due to these potential weaknesses:

  • Lack of assurance that the ePHI will be encrypted during transit from sender to recipient.
  • Messages and ePHI may be saved indefinitely, in plain text, or on third-party servers of cellular providers.
  • Inability to protect text messages from being read by unauthorized individuals, whether in transit or having access to the recipient’s phone.
  • Organizations not sending messages through a common carrier, such as AT&T or Verizon must have a HIPAA Business Associate Agreement with the company, whether Apple or another texting application vendor, through which ePHI-laden texts will flow, be they secure or not.

Are there any easy, inexpensive, and HIPAA compliant alternatives to sending text messages? Yes! Secure email, secure chat, and secure text. And since texting in and of itself is unequivocally not secure, the burden of achieving compliance falls squarely on the healthcare organization and its practitioners to do the right thing. The choices? (1) Stop texting ePHI. This includes basic appointment reminders and notices. (2) Transfer the risk to your patients through training and by requiring written consent forms. (3) Choose an alternative method, as noted above. Not choosing one of these three options will surely lead your organization down the path of willful neglect, in the view of the Department of Health and Human Services, and severe consequences will likely ensue.

Willful Neglect: The three degrees of not caring

In the healthcare world according to HIPAA, the definition of “willful neglect,” means “conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated.” If a breach of ePHI is confirmed, willful neglect will automatically earn your organization the maximum penalty: $50,000 per breached data item (read “per text message”). It seriously is a matter of professional survival. Organizations need to actively avoid willful neglect.

Willful neglect comes in three degrees, all of which are distasteful to HIPAA:

Ignorance. Perhaps the most popular flavor, ignorant organizations ostensibly do not know what needs doing to satisfy HIPAA, or what is appropriate, or they do not bother to perform proper risk analyses and then formulate policy changes based on their risk exposure. Ignorance may be bliss, but for healthcare organizations, it is never smart.

Poor Choices. An organization knows option A is “good,” and relatively straightforward to implement without substantial cost, and option B is “bad” by being extremely risky. If the organization blithely ignores that knowledge and continues business as usual with option B, willful neglect has arrived at its doorstep. You will not experience expulsion from the garden of Eden, but armed with knowledge of “good and bad,” healthcare organizations are obligated to stop pursuit of option B, and instead find ways to mitigate or transfer the risk of option B, document why they accept the risk of option B, or switch gears and embrace option A.

Wink, Wink. If an organization knows the risks, makes good policies, and then proceeds to ignore violations of those policies, guess what?  Willful neglect. Instances of this phenomenon are all too common:

  • Hospital administrators have full knowledge that staff physicians are texting ePHI.
  • Hospital administrators establish and communicate the policies that clearly disallow the behavior.
  • Physicians nonetheless continue texting ePHI, with the tacit knowledge of hospital management and information technology personnel.
  • Even when a written policy is in place, infractions do not cease.

Just having a HIPAA-compliant policy on the books will not offer complete protection of your organization. If you know, or even suspect, infractions you are required to take action. In a 2014 survey on physicians’ at-work texting habits (Telemedicine and e-Health), researchers found:

  • 60 percent sent and 61 percent received work-related text messages.
  • 12 percent sent/received work-related text messages more than 10 times per shift
  • 53 percent texted about work-related matters while not on duty
  • 46 percent reported having concerns about privacy standards with texting.
  • 30 percent have received protected health information in a text message.
  • 11 percent said their organization offers a secure texting solution.

Your best course of action is either to verify that absolutely no texting goes on, ever, or to provide a reliable means whereby your staff can text in a HIPAA-compliant manner.

How to obtain consent for texting?

Under HIPAA, it is perfectly fine to send a message to your patients through insecure channels, for example, email or text, if you have:

  1. Explained the risks to the patient and provide a secure alternative
  2. Received written consent from the patient to “opt-in” to receipt of ePHI, despite use of an insecure channel
  3. Saved the consent form in your records
  4. Taken reasonable precautions to minimize the amount of ePHI going over an insecure channel, and made an effort to implement other safeguards to protect patient privacy.

It is, never permitted, however, to transmit ePHI over insecure channels to other healthcare workers. Consent is applicable only for sending ePHI to patients. Key points to remember if you decide to use regular, insecure texting, albeit with patient consent, to transfer the risk from your organization to the patient:

  • Each patient must be clearly educated about the process. Most consent situations that we have encountered completely ignore this requirement.
  • Consent must really be “opt in” and not “opt out”. The patient must understand the risks and actively choose to agree to them. Consent forms should not include vague wording, such as “We may communicate with you via text message and regular email unless you request otherwise.”
  • Your processes must ensure that texts are never sent to patients who have not given consent. That kind of action would be an automatic HIPAA breach.
  • Can safeguards be devised to help ensure patient privacy when using regular text messages?

Sending texts, even given patient consent, is far from a simple matter. The context can be tricky and risky. Do your patients actually understand the risks? Do you have their signed consent forms filed away, safe and sound? Are you certain that text messages cannot accidentally be sent to patients who have not opted in to accept the risks?   Are you providing patients with a secure alternative?

With inexpensive and easy-to-use options available for sending text messages securely, are you taking appropriate steps to safeguard patient ePHI privacy? Under HIPAA, if you can mitigate risks easily, you should do so, consent options aside.

A responsible and proactive organization with the best interests of their patients in mind will provide them with the option of secure texting, as a default. Instead of patients giving their consent for insecure texts or receiving no messages, the option becomes either secure text, or consent for insecure texts, or no messages. Secure texting can be the opt out default as it meets both the needs of compliance and the goal of fast, text-like communication.

What about Apple iMessage?

Wildly popular, iMessage is a text communication service for Apple users, but the “texts” are, in fact, messages encrypted by Apple during transit, flowing through Apple’s servers, and decrypted by individual iOS devices. Apple is in charge of all encryption keys; some backups of messages may be stored that possibly are not secure, depending on the iCloud configuration of the device.

Although iMessages are encrypted — a prerequisite for transmitting ePHI — Apple is not HIPAA compliant. And because Apple is not a “common carrier” like AT&T and Verizon, you need a HIPAA Business Associate Agreement with them in order to send any ePHI over iMessage or FaceTime (consent or not). As this kind of agreement is not available at present or expected any time soon, iMessage cannot be used with ePHI.

What is a Common Carrier?

A vendor that provides free access to all users of its environment is known as a “common carrier.” Apple is not a common carrier and has expressed no inclination to become one. Here’s why. Apple would need to provide free and unrestricted application program interfaces. The door would then be wide open for the use of iMessage and FaceTime, without a corresponding need for an Apple operating system or specific hardware to talk with any of Apple’s regular (paying) users.

If Apple were a common carrier, then use of iMessage would be on par with use of regular texting. You could use it to send ePHI to patients who opt in, with their written consent, to taking the risk of not using a HIPAA-compliant communications solution.

The situation vis a vis Apple gets worse. The HIPAA requirement for a Business Associate Agreement with your service providers stands independent of your patients’ consent to accept insecure messages. Since Apple is not a “common carrier” and your organization has no Business Associate Agreement, it is entirely inappropriate to send any message containing ePHI over iMessage — even to patients who have given their consent.

Nonetheless, if you are sending a message from an iPhone, the Apple operating system will automatically use iMessage whenever possible. The choice is to discontinue the use of iOS devices to send texts, even when consent exists, or to disable the use of both iMessage and FaceTime on mobile devices (here is how), so that ePHI messages get transmitted only by your common carrier.

Can Text Messages Ever be Sent Securely?

There are essentially three ways to achieve “secure texting”:

1. A specialized app instead of regular text messages

Each authorized individual downloads a specialized HIPAA-compliant app to send and receive secure messages in a manner similar to how normal texting would be done.   LuxSci SecureChat, while an example of this solution, is not exactly HIPAA-compliant secure texting. All users need to download a specialized app and to have a dedicated account. Messages are transmitted using wi-fi or a cellular data network. The specialized app essentially represents a closed system like LinkedIn. The difficulty in a healthcare setting can arise when messaging non-technical individuals who also have to be outfitted with the correct software and know how it works. A challenging proposition, but feasible.

2. A specialized app to decrypt text messages

As in the solution above, each authorized individual downloads a specialized HIPAA-compliant app. Messages are sent and received securely encrypted. The recipient installs the same app and uses it to decrypt these messages for viewing and secure reply. More like regular texting, the messages flow over your existing text messaging infrastructure. Yet the problem remains of training ancillary staff to communicate with a specialized app.

Depending on how your system is configured and used, you may be at significant risk of accidentally sending unencrypted messages, and causing an ePHI breach. You do not want to run afoul of HIPAA regulations.

3. An easy NO APP solution

The LuxSci SecureText solution allows any individual with a smart phone to receive and open secure text messages without the hassle of downloading or learning a new third-party app. With SecureText you can send a secure text message, of unrestricted content length (including file attachments), with no prior communication, setup, or training required.

Which Encryption Solution is Best?

 You first have to analyze your organization’s infrastructure regarding secure text and then you can make an informed decision between two elegant, HIPAA-compliant solutions. The choice needs to be right for the realities of your organization.

Use SecureChat if:

  1. You engage in frequent back-and-forth discussions
  2. You communicate with a relatively limited set of individuals inside and outside your organization, including claims billers, pharmacists, and other providers with whom you interact frequently. It will be quite straight forward to get them acclimated to using the app successfully.

Use App-free SecureText, if:

  1. You require an easy and convenient way to communicate ePHI securely
  2. Messages consist of mostly the broadcast type — “You have an appointment.” — with fewer back-and-forth discussions.
  3. Messages are directed to arbitrary recipients or to less technically proficient individuals.

In all cases, it is wise to follow these basic recommendations: include the fact that your organization uses texting in the required annual HIPAA risk analysis survey and make sure that you have updated policies and systems in place to ensure the proper security of health information. You will be acting to uphold the privacy rights of your patients, to safeguard the integrity of your organization, and to avoid being the next headline about a breach of HIPAA.