Does sending patient information via text violate HIPAA?

Does sending patient information via text violate HIPAA?

Texting has become people’s favorite way to communicate, both personally and for business. One study even found that 63 percent of individuals would choose to do business with companies that offer communication via text messages over those that don’t. 

Given the popularity of text messages, many healthcare organizations are debating whether they should use text messaging more. After all, texts are a quick, easy way to talk to customers and coworkers. However, there’s one concern holding organizations back from using texts: data safety.     

Text messages may appear to be secure, but for healthcare organizations, texts need to be more than secure. Text messaging needs to be HIPAA-friendly. Let’s discover whether standard text messages can meet HIPAA’s legal standards.       

Is text messaging HIPAA-friendly

Healthcare organizations may want to send text reminders to patients or allow their employees to text each other, but is this HIPAA-friendly? While HIPAA doesn’t refer to text messages specifically, it does lay out security requirements that apply to any online health data transfer. These data transfers include texts that contain a patient’s protected health information (PHI). So how do standard text messaging services measure up to HIPAA’s various requirements?  

When it comes to HIPAA’s data access regulations, texts fall short of the legal standard. HIPAA requires that data transfer systems control who has access to the information you’re sending. Unfortunately, while you can decide what phone number receives a text, you can’t control who ends up reading it. If someone can unlock a patient’s phone, they can read private messages sent to that phone.

Compounding this lack of access restrictions is the fact that you can’t conduct a data audit on standard text messaging services. These audits are a major component of HIPAA compliance because they can reveal security gaps and data breaches. 

Since you can’t control or run a data audit on who accesses a text, your messages could be compromised without you even knowing. You need to set up safeguards so this can’t happen, but standard texts can make adding safeguards impossible.    

Encrypting data is a common method to prevent hackers from gaining access to it. Encrypting medical data is also a HIPAA requirement. However, standard text messages aren’t encrypted, and it’s extremely difficult to encrypt a text message using a standard service. 

Using a standard text message service to transmit patient data is clearly not HIPAA-friendly, and your business could get in serious legal trouble for sending patient data over text. However, not everything is considered patient information. You can send certain information through texts; you just need to know what’s protected by HIPAA and what’s not. So what kind of data do you need to avoid sending? 

Is texting a patient name a HIPAA violation?

A healthcare worker texting a colleague

HIPAA protects a patient’s medical information and their personally identifiable information. Texting any of this data to someone else constitutes a HIPAA-regulated data transfer. Here are 18 separate identifiers that would make a text subject to HIPAA requirements:  

  • Names
  • Addresses 
  • Social Security numbers
  • Dates
  • Telephone numbers
  • Fax numbers
  • Email addresses
  • Medical record numbers
  • Health plan beneficiary numbers  
  • Account numbers
  • Certificate or license numbers 
  • Vehicle identifiers or serial numbers 
  • Device identifiers and serial numbers 
  • Web URLs
  • Internet Protocol (IP) addresses 
  • Finger or voice prints 
  • Photographic images 
  • Any other characteristic that can identify a patient 

As this list shows, even texting another medical provider a patient’s name falls under HIPAA’s requirements. But many people have gotten into the habit of using texts for most of their communications. How can you avoid falling into bad habits that will violate HIPAA? 

Just so you know

Gather patient data securely with HIPAA-friendly online forms. Great for consent forms, medical history, and more.

How to get into the habit of HIPAA-friendly messaging

Sending text messages has become second nature for many people. However, the habits that work for personal communication don’t translate to legally regulated communications. Here are some basic ways you can get into the habit of HIPAA-friendly messaging:   

  • Don’t send data to other medical professionals in unsecured text messages. Any patient data needs to go through a secure channel, such as a secure email account.   
  • Get permission from patients before you send their PHI through texts. A notable exception to HIPAA’s data security requirements is that you can send a patient texts containing their PHI if they understand the risks involved and have signed a waiver. 
  • Consider installing HIPAA-friendly text messaging apps. Standard text messaging services aren’t HIPAA-friendly, but there are specialized apps that comply with all of HIPAA’s security requirements. 

By developing new messaging habits, you can keep your patient data secure while using text messaging. Ensuring that every communication channel you use to send PHI is secure is the first step to HIPAA-friendly.  At Jotform, we can help you take your HIPAA-friendly a step further. By using our HIPAA-friendly online forms, you can gather the patient information you need while still following legal requirements. Contact us today to learn more.

AUTHOR
Jotform's Editorial Team is a group of dedicated professionals committed to providing valuable insights and practical tips to Jotform blog readers. Our team's expertise spans a wide range of topics, from industry-specific subjects like managing summer camps and educational institutions to essential skills in surveys, data collection methods, and document management. We also provide curated recommendations on the best software tools and resources to help streamline your workflow.

Send Comment:

Jotform Avatar
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Podo Comment Be the first to comment.