A guide to HITRUST and HIPAA compliant texting

With its speed, convenience, and HIPAA compliance when executed appropriately, SMS has become the preferred communication method for doctors, nurses, and other healthcare providers seeking to connect with each other or their patients.

Given its high open rate of 98%, text messaging offers convenience and efficiency, allowing healthcare professionals to exchange information quickly. However, with convenience comes the responsibility of safeguarding sensitive patient data in compliance with regulations like HIPAA (Health Insurance Portability and Accountability Act) and HITRUST (Health Information Trust Alliance).

Understanding HIPAA and HITRUST

HIPAA

HIPAA, enacted in 1996, sets standards for protecting sensitive patient health information, known as protected health information (PHI). It mandates safeguards to ensure the confidentiality, integrity, and availability of PHI and outlines penalties for non-compliance.

HITRUST

HITRUST provides a comprehensive framework for managing information risk and compliance in healthcare organizations. It incorporates various regulations, standards, and best practices, including HIPAA, to streamline compliance efforts and enhance data security.

Related: What's the difference between HIPAA & HITRUST?

The importance of compliance

HIPAA and HITRUST regulations are designed to protect the privacy and security of patient information. Non-compliance can result in severe penalties, including hefty fines that range from $137 to $2,067,813 and damage to an organization's reputation. Therefore, ensuring compliance in all aspects of healthcare operations, including text messaging, is paramount.

See also: What are the consequences of not complying with HIPAA?

Key considerations for HIPAA and HITRUST compliant texting

• Encryption: All text messages containing PHI must be encrypted both during transmission and storage to prevent unauthorized access. Encryption protocols should meet the standards outlined by HIPAA and HITRUST.
• Access controls: Implement stringent access controls to ensure that only authorized personnel can send, receive, and access PHI via text messages. This includes user authentication mechanisms and role-based access controls.
• Audit trails: Maintain detailed audit trails that log all activities related to text messaging, including message transmission, access, and modifications. Regularly review and monitor these logs for compliance purposes.
• Secure platforms: Choose texting platforms that are specifically designed for healthcare environments and comply with HIPAA and HITRUST requirements. These platforms should offer robust security features, such as encryption and secure data storage.
• Business associate agreements (BAAs): If using third-party texting services, ensure that they sign BAAs affirming their commitment to HIPAA and HITRUST compliance. These agreements should outline the responsibilities of both parties regarding the protection of PHI.
• Employee training: Provide comprehensive training to all employees who have access to PHI via text messaging. This training should cover HIPAA and HITRUST regulations, as well as best practices for secure texting.
• Device security: Implement policies and procedures to secure mobile devices used for text messaging, including encryption, password protection, and remote wipe capabilities in case of loss or theft.
• Data retention and disposal: Develop policies for the retention and disposal of text message data in compliance with HIPAA and HITRUST requirements. Data should only be retained for as long as necessary and securely disposed of when no longer needed.

See also: 

• The guide to HIPAA compliant text messaging
• HIPAA Compliant Email: The Definitive Guide
  
  

FAQ

What are the differences between HIPAA and HITRUST, and how do they impact texting in healthcare?

HIPAA is a federal regulation that sets standards for the protection of patient health information, while HITRUST provides a framework for managing information risk and compliance, incorporating various regulations including HIPAA. Healthcare organizations must comply with both HIPAA and HITRUST requirements when implementing texting solutions.

How should healthcare organizations choose a texting platform that is HIPAA and HITRUST compliant?

Healthcare organizations should select texting platforms specifically designed for healthcare environments, like Paubox Texting. These platforms should offer robust security features, such as encryption, secure data storage, and compliance with HIPAA and HITRUST regulations.

Is it permissible to communicate PHI via text message with patients or other healthcare professionals?

Yes, it is permissible to communicate PHI via text message as long as appropriate security measures are in place to protect the data. This includes encryption of messages, and secure platforms. Additionally, obtaining patient consent for communication via text message is recommended.