Paubox blog: HIPAA compliant email made easy

HIPAA guidelines for texting PHI between doctors

Written by Liyanda Tembani | October 03, 2024

HIPAA guidelines for texting PHI between specialists and primary care physicians include using secure messaging platforms with encryption, access controls, and audit trails. Providers must ensure only authorized personnel can access the messages, follow the minimum necessary rule by sharing only essential information, and obtain a business associate agreement (BAA) with third-party vendors handling PHI. The mobile devices used for texting PHI must have proper security safeguards, including encryption and remote wipe capabilities, to protect patient privacy and maintain HIPAA compliance.

 

The role of text messaging in healthcare

Text messaging allows physicians to consult on patient diagnoses, discuss treatment plans, and coordinate care. Despite the convenience, texting can lead to risks such as unauthorized access or breaches if proper safeguards aren’t in place. HIPAA regulates how PHI is handled and applies to text communication. 

 

HIPAA requirements for texting PHI

The HIPAA Privacy Rule governs the use and disclosure of PHI, and the Security Rule requires specific safeguards for electronically transmitted PHI, including any PHI sent via text. When specialists and primary care physicians use text messaging to discuss patient details, they must use secure methods that comply with HIPAA.

According to the HHS, “texting patient information among members of the health care team is permissible if accomplished through a secure platform.” Standard SMS texting or popular messaging apps like iMessage and WhatsApp are not inherently HIPAA compliant unless they meet specific security standards, such as encryption and access controls. Using these platforms without proper safeguards can result in a HIPAA violation. 

Related: The risks of using regular SMS for patient communication

 

Using secure messaging platforms

Healthcare providers must use HIPAA compliant text messaging platforms to text PHI securely. These platforms offer several features:

  • Encryption ensures that only authorized users can view the content of the messages, protecting PHI from unauthorized access.
  • Audit trails track who sent and received PHI, creating accountability.
  • Access controls ensure only authorized personnel can access the messaging platform, ensuring PHI is shared appropriately.

When choosing a messaging platform, verify that it complies with HIPAA’s encryption and security requirements. Many healthcare-specific messaging apps are designed for this purpose and should be the preferred option for providers texting PHI.

 

The business associate agreement (BAA)

According to the HHS, "The HIPAA Rules generally require that covered entities and business associates enter into contracts with their business associates to ensure that the business associates will appropriately safeguard protected health information."

The BAA ensures the service provider is also responsible for protecting PHI and complies with HIPAA regulations. Without a BAA in place, using the platform could result in a violation. Before using any third-party texting service, confirm that they provide a BAA and verify that their security practices align with HIPAA’s requirements.

Read more: What is the purpose of a business associate agreement?

 

Authentication and access controls

Healthcare providers must implement user authentication methods like strong passwords, multi-factor authentication (MFA), or biometrics to prevent unauthorized access to PHI. Access controls should limit who can send or receive messages with PHI, ensuring that only authorized personnel are involved in the communication.

 

The minimum necessary rule

The HIPAA minimum necessary rule requires that healthcare professionals only share the information necessary to achieve the intended purpose. For example, when texting about a patient, providers should avoid oversharing unnecessary details. Keeping communications focused and minimal helps reduce the risk of inappropriate disclosures.

 

Device security and safeguards

Mobile devices you use for texting PHI must be encrypted and secured with password protection or other safeguards like remote wipe capabilities. If a device is lost or stolen, providers should be able to erase all data remotely to prevent a breach.

Additionally, text messages containing PHI must be deleted once they are no longer needed. Providers must follow their organization’s data retention policies to ensure that sensitive information isn’t stored on devices indefinitely.

 

Obtaining patient consent

While HIPAA allows texting PHI under certain conditions, providers should also obtain patient consent for text-based communication. Informing patients about the risks of texting and documenting their preferences helps avoid potential issues.

Read more: How to get consent for texting and emailing patients

 

Risk assessments and staff training

Regular risk assessments help healthcare organizations evaluate whether their texting practices comply with HIPAA. In addition, staff training on secure messaging and HIPAA guidelines can ensure everyone follows proper procedures.

 

FAQs

Is it acceptable to store PHI-containing text messages on personal devices?

No, storing PHI-containing text messages on personal devices without proper safeguards is a HIPAA violation. Devices should be encrypted, and providers should follow their organization’s secure data storage and deletion policies.

 

Can text messages containing PHI be forwarded to other healthcare providers?

Text messages containing PHI can be forwarded to other healthcare providers, but only if they are sent using a HIPAA compliant platform, follow the minimum necessary rule, and the recipient has proper authorization to view the information.

 

What should be done if a text message containing PHI is accidentally sent to the wrong recipient?

If PHI is accidentally sent to the wrong recipient, healthcare providers must report the incident as a potential HIPAA breach, assess the risk of the disclosure, and take appropriate corrective action, such as notifying the patient and mitigating further risks.