When specific precautions are in place, HIPAA allows for electronic communications between patient and provider for reasons like treatment or billing. These precautions are met by making use of HIPAA compliant text messaging platforms like Paubox Text Messaging designed with compliance in mind.
According to HIPAA, specifically 45 CFR § 164.502, “A covered entity or business associate may not use or disclose protected health information, except as permitted or required…Except for uses and disclosures prohibited under § 164.502(a)(5)(i), pursuant to and in compliance with a valid authorization under § 164.508…” This means that for text messaging, patient consent is needed when the communication falls outside of HIPAA’s permitted uses, like sharing PHI for reasons not directly related to the patient's diagnosis and treatment.
The use of HIPAA compliant text messaging services like Paubox therefore fulfills HIPAA’s technical requirement for encryption and allows healthcare providers to securely communicate with patients without additional authorization. HHS guidance provides that, “...The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so.”
HIPAA’s Security Rule established the safeguards that ensure the confidentiality and security of electronic communications. Encryption, a necessary safeguard, effectively protects PHI from unauthorized access. When text messaging platforms combine encryption with other measures like unique user identification and a signed business associate agreement that outlines the use of PHI, it eliminates the need for additional consent for communications that would not typically require it.
A valuable recommendation from the American Psychiatric Association guidance, applicable to the use of text messaging in all healthcare providers states “It is still best practice for physicians to obtain express written consent from their patient….” Even though encrypted messaging platforms like Paubox provide security, obtaining patient consent before text messaging remains a best practice because it promotes ethical communication between provider and patient.
By seeking consent, providers can make sure that patients are completely aware of how their PHI is used and any risks involved (although encryption minimizes this risk significantly). The action of seeking consent also allows for the improvement of the patient provider relationship by allowing the patient to express their preference. This solidifies the patient's autonomy early in their health journey and provides a way to create open lines of communication.
Uses of PHI including treatment, payment, healthcare operations, and disclosures required by law or public health activities.
Disclosures not covered by HIPAA’s permitted uses like unauthorized marketing, or using PHI for personal gain.
A security process that converts data into a coded format to prevent unauthorized access.