HIPAA security rule needs better definition for text messaging

The Health Insurance Portability and Accountability Act (HIPAA) Security Rule leads to uncertainty about how to make text messaging policy decisions, according to an article in the American Journal of Public Health. However, the article's authors assert that text messaging used to send health information can be implemented in a public health setting through two possible approaches.

The first approach is through restructuring text messages to remove personal health information. The other approach is by retaining limited personal health information in the message, but conducting a risk analysis and satisfying other requirements to meet the HIPAA Security Rule.

"Text messaging is a powerful communication tool for public health purposes, particularly because of the potential to customize messages to meet individuals' needs," the article states. "However, using text messaging to send personal health information requires analysis of laws addressing the protection of electronic health information."

The authors say in their article that they are not aware of case law or U.S. Department of Health & Human Services guidance addressing whether text messages are subject to the HIPAA Security Rule. Nevertheless, in consultation with subject matter experts in their information technology, risk management, and legal departments, they concluded that a text message "arguably is within the definition of electronic media because it involves data that exist in electronic form prior to transmission."

As a result, the authors decided that "until there is authoritative guidance," they should proceed under their first approach "cautiously and assume that the Security Rule applies to text messages containing [protected health information]" and in order to avoid triggering the Security Rule they should omit PHI from their text messages.

In cases where the authors retained limited personal health information in the text messages, they analyzed the security standards within the context of sending PHI via text messaging by convening a team of information technology security and risk management experts to conduct a risk analysis and assessment of the Security Rule.

Yet, even after taking steps to mitigate risk, the authors found that "no communication method is 100 percent secure, and text messaging is no different." Ultimately, they concluded, the decision to send text messages with PHI is a policy decision in which the risks and the benefits are weighed by decision-makers."

There is a lack of clear and specific guidance on how health entities can use text messaging that contains PHI, according to the article.

"We recommend that the federal government take steps now to clarify how health departments can reasonably use text messaging to send protected health information," the authors state. "Until guidance is available and regulations are better defined, many health departments will lose the opportunity to use the technology in the most effective way."

According to recent research, doctors at pediatric hospitals are increasingly communicating with each other via text messaging. In the study, 106 pediatric hospitalists were surveyed on how they communicate with hospital colleagues--such as via cell phone and text message. Nearly all (96 percent) said they used text messaging in their day-to-day life while 92 percent said they used a smartphone. And 57 percent said they either send or receive work-related texts.

To learn more:
- read the article abstract