Is Text Messaging HIPAA-Compliant?Kathryn Stone
One of the most common questions doctors have as they are evaluating telehealth options is related to compliance. Do Medici virtual visits meet the standards required to keep their communications HIPAA-compliant and protect potential PHI?
Dos & Don’ts of HIPAA-Compliant Messaging
Text messaging is such a ubiquitous form of communication today, it’s natural that doctors and other healthcare providers find it to be an increasingly helpful way to speak to patients.
The language used in the Privacy and Security Rules related to text messaging and HIPAA compliance are complicated. While neither of these rules specifically mention text messaging per se, they do outline conditions pertaining to electronic communication within healthcare, stating that a system of administrative, physical and technical safeguards must be in place to ensure the confidentiality and integrity of protected health information (PHI) when it is in transit and at rest.
Popular Text Messaging Apps Leave Doctors at Risk
Most popular text messaging options used today are not HIPAA-compliant because they lack the appropriate encryption. In other words, messages sent via SMS – WhatsApp, Facebook Messenger or Skype – are vulnerable to interception during transit. What’s more, most text messages and images sent using these common platforms are stored on a device’s internal storage or in the cloud, further increasing the risk.
Take WhatsApp, as an example. While messages sent within the app are securely encrypted from sender to receiver – satisfying part of HIPAA’s encryption requirements – WhatsApp does not offer any secure storage (meaning any images are likely stored on your phone). Similarly, it does not provide secure access controls in the app, making it a risky option when exchanging ePHI.
Mitigating The Risks of HIPAA Non-Compliance
With the influx of personal mobile devices infiltrating clinical communications, there’s an increased risk of sensitive data falling into the wrong hands. Medical practices that permit just one single breach of texting PHI could face fines of up to $50,000 – per vulnerability, per day – for the duration that the breach goes uncorrected. What’s more, that same practice could face significant fines from the affected patient and severe damage to their professional reputation.
Medici is a mobile app that addresses these compliance concerns by providing the necessary safeguards to ensure PHI integrity. At the same time, it allows doctors to offer text-based virtual care that’s as easy to use as a simple SMS text message. To avoid fines and other ramifications, text messaging and other instant messaging apps should be addressed under the HIPAA security rule as part of an organization’s risk analysis and management strategy.
Ready to start offering HIPAA-compliant messaging in your practice? Download Medici today for iOS/Android or create an account on desktop.