Handling text messages with PHI on employee-owned devices

To handle text messages with PHI on employee-owned devices, use HIPAA compliant secure messaging platforms with encryption and avoid regular texting apps. Set clear policies requiring password protection, device encryption, and remote wipe capabilities in case of loss or theft. Provide training to staff on secure messaging practices and monitor device usage.

HIPAA compliance and text messaging

The HIPAA Privacy and Security Rules set strict guidelines to protect PHI, which can be difficult to enforce on employee-owned devices. Personal devices often lack built-in security, increasing the risk of unauthorized access to PHI. Text messages containing PHI are vulnerable to interception and data breaches without proper security measures.

Read more: Unpacking the HIPAA rules on text messaging

Required security measures

1. Encryption: Text messages with PHI must be encrypted to ensure the data is protected during transmission. Encryption scrambles the message content, making it unreadable if intercepted. Regular texting apps typically don’t provide HIPAA compliant encryption, so secure messaging platforms are a safer choice.
2. Secure messaging platforms: Healthcare organizations should consider HIPAA compliant text messaging platforms like Paubox that are designed for secure PHI transmission. These platforms feature encryption, self-deleting messages, audit trails, and restricted access options.
3. Device security: Enforce password protection and biometric authentication to secure personal devices. Additionally, ask employees to enable remote wiping, allowing data deletion if a device is lost or stolen, reducing the risk of PHI exposure.

Establishing policies and training

Establish clear policies for managing PHI on personal devices. A strong acceptable use policy (AUP) defines when, where, and how PHI can be accessed or transmitted. Policies should cover security requirements like encryption, password protection, and the prohibition of sharing sensitive details via regular text.

Employee education can ensure that staff understand how to handle PHI securely. Training should cover the risks of text messaging, acceptable communication practices, and how to use secure messaging platforms.

Access controls and monitoring

1. Role-based access: Limit PHI access on personal devices to only those employees who need it to perform their roles, applying the “minimum necessary” rule. Controlling access helps reduce the potential for unauthorized disclosure.
2. Monitoring and audit logs: Monitoring text message access and use can detect potential security incidents. Platforms with logging capabilities allow administrators to track who accessed PHI, when, and from where, helping identify suspicious activities.

Business associate agreements (BAAs)

HIPAA requires business associate agreements (BAAs) with any third-party providers handling PHI. For text messaging, this may include mobile carriers or messaging apps. Ensure all providers sign a BAA to confirm they comply with HIPAA security standards. Additionally, work only with HIPAA compliant vendors with robust security measures.

Patient consent and communication preferences

Text messaging is generally considered less secure than other communication methods, so obtain explicit patient consent before sending PHI this way. Explain the potential risks of texting and let patients choose their preferred communication method, keeping patient rights and preferences at the forefront.

Implementing BYOD policies and device management

A study on smartphone use and security challenges in hospitals stated "Smartphones are an important part of digital support for physicians in everyday clinical practice. To minimize the risks of use, technical and organizational measures should be taken by the hospital management".

MDM solutions allow IT administrators to control and secure these devices effectively. 

1. BYOD policy: A BYOD policy outlines the requirements for using personal devices in a healthcare setting. The policy should mandate using secure messaging apps, regular security updates, and basic security controls (e.g., passwords, encryption).
2. Mobile device management (MDM): MDM solutions help enforce security on employee-owned devices. They enable remote wiping, enforce password requirements, and support encryption settings, which strengthen device security when PHI is accessible.

Incident response and breach notification

In case of a data breach involving PHI on personal devices, healthcare organizations must follow the HIPAA breach notification procedures. Correct response measures include notifying affected patients and reporting the violation to the Department of Health and Human Services (HHS) if it meets the HIPAA criteria for a reportable incident.

FAQs

Is it okay to use group texting for PHI on personal devices?

Group texting should be avoided for sharing PHI, as it can unintentionally expose patient information to unauthorized individuals; secure messaging platforms with specific access controls are a safer alternative.

What should I do if a personal device with PHI is lost or stolen?

Immediately report the incident to your compliance officer, activate any remote wipe capabilities, and follow your organization’s breach response protocol to limit exposure.

How can we keep track of which employees have access to PHI on personal devices?

Use an MDM system or maintain a secure, up-to-date log of approved devices and authorized users to streamline tracking and access management.