According to the 2023 Salesforce State of the Connected Customer Report, 66% of people globally engage with companies through text messaging. However, common HIPAA compliance mistakes in text messaging include using regular SMS for protected health information (PHI), failing to obtain patient consent, lacking a business associate agreement (BAA) with third-party services, sending excessive information, inadequate device security, insufficient staff training, not documenting communications, and ignoring patient communication preferences.
1. Using regular SMS for PHI
Regular SMS is not secure and lacks encryption, making it easy for unauthorized individuals to intercept and access PHI. The HHS states that "The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information." Using regular SMS for PHI can, therefore, be a direct violation of HIPAA’s Security Rule.
Switch to HIPAA compliant text messaging platforms with encryption, access controls, and audit trails to ensure patient information remains secure. Carefully vet these services to confirm they meet HIPAA’s requirements.
Related: Is SMS messaging HIPAA compliant?
2. Failing to obtain and document patient consent
Sending PHI via text without explicit patient consent violates HIPAA’s Privacy Rule. Patients might not be aware of the risks, and without permission, your organization is exposed to legal consequences.
Always obtain written consent from patients before sending any PHI via text. Inform them of the risks and provide the option to opt out. Document this consent securely to protect both the patient and your organization.
Read more: How to get consent for texting and emailing patients
3. Lack of a business associate agreement (BAA)
Using third-party messaging services without a BAA means the service provider is not legally obligated to protect PHI, putting your organization at risk of non-compliance with HIPAA’s requirements for safeguarding patient data.
Ensure a BAA is in place with any third-party service provider handling PHI. The BAA should specify the service provider's responsibilities in protecting patient information. Regularly review these agreements to maintain compliance.
4. Sending excessive information in text messages
Over-sharing PHI in text messages violates HIPAA’s minimum necessary rule. Sharing more information than necessary increases the risk of data breaches and exposes your organization to potential fines.
Limit the amount of PHI in text messages. Avoid including detailed medical information and, where possible, use non-specific language or codes. This minimizes the risk of compromising patient data and ensures compliance with the minimum necessary rule.
5. Inadequate device security
Texting PHI from unsecured personal devices leaves patient data vulnerable to unauthorized access. That can lead to potential HIPAA violations if the device is lost, stolen, or compromised.
Implement strict device security policies, including encryption, strong password protection, and multi-factor authentication. Use mobile device management (MDM) solutions to enforce these policies across all devices used by staff. Enable remote wipe capabilities to erase data from lost or stolen devices.
Related: Strategies for MDM and HIPAA compliant communication
6. Lack of staff training
Without proper training, staff may inadvertently violate HIPAA by not following secure communication practices, exposing your organization to compliance issues and potential penalties. At least 85% of data breaches are attributable to individual mistakes.
Conduct regular training sessions on HIPAA compliance, secure messaging practices, and the specific tools used within your organization. Ensure that staff members understand the importance of secure communication and the consequences of non-compliance.
7. Failure to document and archive communications
Not documenting or archiving text communications can lead to non-compliance with HIPAA, particularly during audits or when reviewing past communications.
Implement systems that automatically document and securely store all text communications involving PHI. Review these archived messages to ensure they meet HIPAA requirements and are readily available for any necessary audits.
8. Ignoring patient communication preferences
Disregarding patients’ communication preferences can lead to dissatisfaction and potential non-compliance if secure methods are not used, increasing the risk of exposing PHI.
Record and respect each patient’s preferred communication method. Offer secure alternatives if a patient prefers a medium that doesn’t meet HIPAA standards, ensuring they understand the importance of secure communication.
FAQs
Can healthcare organizations use encrypted personal messaging apps for PHI?
You can use encrypted personal messaging apps for PHI if they meet HIPAA's security requirements. It is, however, safer to use dedicated HIPAA compliant messaging platforms designed specifically for healthcare.
What should be in a BAA for text messaging services?
A BAA for text messaging services should include clauses about data protection responsibilities, breach notification procedures, and compliance with HIPAA’s Privacy and Security Rules.
Can text messages containing PHI be used for appointment reminders?
Text messages can be used for appointment reminders if sent through HIPAA compliant platforms and contain only minimal necessary information, avoiding sensitive PHI.
Liyanda Tembani
