Call Today! 877-310-9575


Three Things You Need to Know about HIPAA-compliant Secure Text Messaging

Texting among healthcare professionals is becoming more and more prevalent, but many are not taking proper measures to remain compliant with HIPAA.

Image of a doctor using a HIPAA-compliant messaging app on his phone

Text messaging is a force of nature. Its use has grown exponentially. In 2017, 560 billion (yes BILLION) text messages were sent each month. The healthcare industry is not excluded from this growing communications channel. In fact, it has kept pace quite vigorously. Physicians and healthcare providers have discovered the advantages of fast-paced electronic messaging. The industry as a whole has taken a “bull-by-the-horns” approach to its adoption of electronic medical records (EMR) and instant communication. Text messaging, also known as SMS or “short message services” has allowed physicians to move health-related information from Point A to Point B faster and more efficiently than ever before.

Because the healthcare industry is so busy texting, there are three things you need to know about HIPAA-compliant secure text messaging and they are:

  • The use of medical text messaging is growing at a rapid rate, but texting is not intrinsically secure
  • There is no such thing as a HIPAA-compliant texting device
  • Your live answering service or call center can help you manage texting risks

Studies have shown that more than 80% of healthcare professionals are using SMS texting to share protected health information (PHI). Some providers have not been adequately trained to understand how to properly use text messaging. And still others likely avoid HIPAA compliance rules in favor of efficiency. With 560 billion texts a months zooming around the world, who is going to catch you, right? Wrong. The risks of legal and financial consequences are still very real. Doctors and medical organizations can lose trust, reputations can be tarnished, steep fines can be levied, and even terms of imprisonment can be handed out to those who ignore HIPAA.

Text messages are mainly sent between individuals from cell phone to cell phone. In a medical application, a doctor might use his or her cell to quickly text PHI to a nurse in the field who needs to make a quick decision. Or, a nurse might go online to access her mobile account to send an SMS back to that same doctor. Even still, a mobile x-ray technician might call into his answering service so that an important message can be relayed to the doctor he is running tests for. That answering service would then create a message ticket which might be emailed or texted to the doctor. See? There are a lot of fingers in the text messaging pie. This is because texting is more than just sending a message from cell phone to cell phone. It also includes sending messages from mobile websites, call centers, answering services, switchboards and web-based messaging applications.

Image of a doctor using a HIPAA compliant messaging app on her phoneIt may be that the volume of text messages sent give providers a false sense of security due to their commonplace. Who’s going to see my little old text message anyway? So rather than be prudent, a decision is made to keep up with all of the advantages of lightning-fast electronic messaging. But the choice doesn’t have to come down to this. The healthcare industry does not need to continue to participate in dangerous messaging practices that put them in jeopardy. However, regardless of the best efforts of hospital executives and administrators to prohibit unsecured texting of PHI, the use of unsecured texting is rife.

Just think about hospice for a moment. Hospice, by nature, is a “mobile” form of support. Nurses go to the homes of the patients they care for and they are often in transit from one place to another. But not only hospice, healthcare in general is becoming more mobile. Some doctors actually make house calls (again). There are mobile x-ray companies and firms that drive lab results all over town. With everyone running around all the time, SMS has become a default mainstay of mobile messaging. Text messaging has indeed revolutionized  healthcare communications. Texting use will continue to rise so providers must ensure its use is handled in a secure and compliant manner.

FACT: Productivity increases when decisions can be made quickly
FACT: Healthcare workers ­need to quickly relay protected health information
FACT: SMS texting is not secure
FACT: More than 80% of healthcare providers are regularly texting PHI
FACT: Close to 90% of physicians use smartphones in the workplace

So, does any of this matter to you? It does if you are a covered entity. A covered entity is any healthcare provider that electronically transmits any health information in connection with transactions for which the Department of Health and Human Services has adopted standards. So the solution is simple, right? Just get a secure HIPAA-compliant texting device. But the problem is this: they don’t exist.

There is no such thing as a HIPAA-compliant mobile device. However, there are HIPAA-compliant processes, platforms, and applications that can help you manage your risk of violating HIPAA regulations. HIPAA, as it is written, does not require that providers use specific types of technology to administrate the handling of PHI. So there is no such thing as a HIPAA-compliant cell phone, pager, smartphone or tablet. HIPAA rules are in place to safeguard the use and handling of PHI  to ensure privacy. SMS text messaging is not secure because it generally lacks any kind of encryption.

However, even encrypted text messaging isn’t secure because it cannot guarantee that the device that accesses it is secure. Further, the senders of text messages cannot know with 100% certainty that their messages have been received by the intended addressee. Add to that the fact that wireless carriers and telecommunications carriers commonly keep records of text messages and email content.

It seems like everyone has their hands on PHI. And in a way, this is true. But if you touch it, you own it. So you better protect it. If you lose your mobile device and it contains protected health information (PHI) you can be liable for a breach of HIPAA. It can happen just that fast and the lawsuits are real. In 2018, three Massachusetts hospitals were fined $1 million dollars for HIPAA violations. Ouch.

So if no mobile device is secure, what can you do? According to the HealthIT.gov website, they offer several steps that providers can follow to assist with HIPAA compliance:

  1. Use a password-protected or other user-authenticated device (like fingerprint or facial recognition)
  2. Install and enable encryption
  3. Install and activate remote data wiping and remote device disabling
  4. Disable and do not install file-sharing applications
  5. Install and enable a data firewall
  6. Install and enable security software
  7. Keep security software up-to-date
  8. Carefully research all mobile applications before downloading (as many of them scour the data on your device)
  9. Maintain physical control of devices (don’t lose them!)
  10. Use adequate security to send or receive PHI over public Wi-Fi networks
  11. Delete all stored PHI before discarding or re-using a mobile device

Beyond device security, healthcare providers must also consider secure text messaging applications. The applications are what can secure the text messaging process in general. There are a number of different companies that have developed “secure” text messaging applications and processes to help healthcare providers use text messaging safely. However, let the buyer beware. There are several providers who truly are HIPAA compliant, Some say they are secure but are not, and still others have secure messaging but do not purport to be HIPAA-compliant in any way, shape or form. As a healthcare provider you need to know the difference, so ASK.

An example of the secure messaging players available today are companies like TigerConnect. The applications provided by companies like this allow for secured text messaging. Additional specialized features can help providers manage their handling of PHI. Text messages are no longer sent from device to device, but are delivered to a completely secure cloud-based environment. The end user is notified (by text or email) that that there is a message awaiting them (in the cloud). They simply log into their password-protected, secure account to read their messages. No PHI data is ever delivered to nor resides on their mobile device.

Other feature sets of these cloud-based applications include such tools as Delivery Notification, Read Confirmations, Message Lifespan and Message Recall to help providers be more efficient in handling PHI. Administrators also have the ability to remotely wipe the account in the event a device is lost or stolen.

When text messages are moving from point A to point B, the most common way to secure that information is by using SSL protocols, which stands for “Secure Socket Layer.”  When messages are not moving along the information highway, they need to be secured at their initial and final resting places. This involves ensuring that the data storage servers that are holding that PHI are secured from the outside world. Cloud-based secure text messaging service providers like TigerConnect have both sides of the fence covered. A cloud-based application like Microsoft Lync, for example, offers secure messaging to its users but it is not a HIPAA-compliant service. Nor does it pretend to be. Twilio, also, is not HIPAA-compliant.

“But what about my answering service? They told me that they are HIPAA-compliant.”  Your answering service or call center may very well be HIPAA-complaint. And they should be. But that doesn’t prevent or exempt you, as a healthcare professional, from using secure forms of text messaging.

Image of call center agents using secure messaging to send patient informationAn answering service is HIPAA-compliant when they properly manage and maintain the data that they are handling. Telephone answering services and call centers provide a cornerstone communications platform for the healthcare industry. Millions of providers and organizations commonly use answering services to relay critical messages. Providers feel totally comfortable receiving text messages from call centers and answering services thinking they are safe from HIPAA violations. Messages are delivered as emails and texts. But this is where the providers are mistaken. Once the PHI is delivered to their mobile device, tablet or cell phone, they are immediately susceptible to a HIPAA breach.

One of the biggest problems with HIPAA-compliance for healthcare providers has been a lack of direction, safeguards, and adoption of secure technologies. In a survey conducted a few years ago, 94% of covered entities reported that they had at least one HIPAA breach in the past 2 years. And the most common cause of breach was the loss or theft of a mobile device.

If your chosen answering service is interfacing with secure text messaging technologies, then they can help you mitigate your HIPAA-compliance risks. Answering service providers should be able to connect to a variety of secure cloud-based texting relay services. Or maybe they even use an app like CogniSent to deliver messages in a secure and compliant manner.

Remember, however, an answering service does not have to send PHI to a healthcare provider. Some medical providers opt for the service to send a text message to a provider requesting that they  call in to retrieve their messages. Other providers have services contact them securely by outbound phone call to verbally relay protected PHI. Either way, your answering service can be of great value to your organization.

Healthcare providers and workers adopt policies and procedures that keep themselves safe at all times. When selecting an answering service vendor, be sure that they, too, have adopted policies and procedures that are designed to keep you safe. Your provider should have and use secure text messaging applications. If they do not, find out if they can interface with whatever secure application you are currently using.

It is the responsibility of your  call center partner to take great precautions ensuring that their agents are not using cell phones in the workplace, for example, which could be improperly used to transmit secure PHI. Further, they must safeguard any and all data by encrypting it and storing it securely behind firewalls. They must regularly train their agents on the awareness and proper data handling procedures outlined by HIPAA the guidelines.

So you don’t have to give up on text messaging just because it is not inherently secure. You should adopt text messaging and help your healthcare organization use it to its fullest effect. You don’t have to struggle with a decision to ban text messaging from your organization because ease-of-use considerations are putting you at risk. Adopt the right policies and procedures and get your organization and your answering service involved in using secure text messaging applications so that you can provide a better service to your patients.

Related Articles

How a HIPAA Compliant Call Center Delivers Healthcare Solutions

The 10 Best Reasons to Outsource Telecom Services

9 Questions You Should Ask when Shopping for an Answering Service

This entry was posted in Articles by Brian Gabriel. Bookmark the permalink.

About Brian Gabriel

As the Call Center Manager for Sound Telecom, Brian is responsible for overseeing the daily operations and long term success of the company while managing a variety of inbound customer support programs. He also has a hand in taking care of the Solaxis services division. Prior to joining Sound Telecom, Mr. Gabriel held management positions with several prominent Internet Services companies including XpenseWise.com and Greatfood.com. Brian started his career in advertising and sales before moving to Washington State. He joined AEI Music in 1995 and supervised their international customer service department and technical support call centers. Brian received a Bachelor of Arts degree in Journalism with a minor in Spanish languages from San Diego State University. Brian teaches adult education at his church and actively supports Christian ministries.