As more physicians begin to use texting and e-mails to communicate with patients, concerns about the HIPAA Security Rule and how it applies to electronic messaging have increased tremendously. Texting is an efficient tool of communication for busy providers; however, texting patient health information (PHI) without adequate safeguards can expose an organization to potential privacy and security violations that may result in adverse legal and financial consequences.
An organization needs to consider whether its policies and procedures sufficiently address PHI texting, and whether the workforce has been adequately trained to comply with those policies. The HHS has increased the compliance audit activity and HIPAA enforcement penalties, especially in instances of willful neglect of compliance.
Categories of HIPAA Violations
| Violation category | Penalty for each violation |
| Did not know | $100 – $50,000 |
| Reasonable cause | $1,000 – $50,000 |
| Willful neglect, corrected | $10,000 – $50,000 |
| Willful neglect, not corrected | $50,000 |
How to Send HIPAA Compliant Texting
The HIPAA Security Rule does not prohibit (or even mention) texting. As with any other means of communication, appropriate safeguards must be in place to ensure the privacy and security of Protected Health Information (PHI) communicated by text. These safeguards must adequately address the specific risks that texting raises.
For instance, text messages are generally not secure because they lack encryption, and the sender does not know with certainty the message is received by the intended recipient. Also, the telecommunication vendor/wireless carrier may store the text messages. Although, organizations may approve texting after performing a risk analysis or implementing a third-party messaging solution that incorporates measures to establish a secure communication platform that will allow texting on approved mobile devices.
5 Key Steps Your Organizations Can Take To Manage Mobile Devices
- Organization needs to decide whether mobile devices will be used to access, receive, transmit or store patients’ health information or will it be used as part of your organization’s internal network or systems, such as an electronic health record system.
- It’s important to consider the risks when using mobile devices to transmit the health information your organization holds.
- Find a mobile device risk management strategy, including privacy and security safeguards.
- It’s imperative to develop, document and implement your organization’s mobile device policies and procedures to safeguard health information.
- Always conduct mobile device privacy and security awareness and ongoing training for Providers and professionals
In an upcoming audio session on Texting and E-mail with patients, HIPAA compliance expert Jim Sheldon Dean will be discussing how healthcare providers can serve patients’ requests for communication of information by text messages and e-mails while complying with HIPAA Privacy and Security rules. You will be able to understand the difference between patient communications and professional communications, and how it needs to be handled to best serve patients, enable communications efficiently and stay within the norms of HIPAA compliance. You can handle patients’ request for communication of information by text messages and email while remaining within the bounds of HIPAA Privacy and Security Rules, this session will help you achieve that level of compliance.
