The new HIPAA omnibus rule spurred a lot of discussion, but as with any legislation, how it affects real workflow isn’t yet certain. A case study has been published in the American Journal of Public Health (AJPH) detailing how HIPAA influences a public health text messaging intervention.
Hilary N. Karasz, PhD, Amy Eiden, JD, and Sharon Bogan, MPH of Public Health-Seattle and King’s County, Washington suggest that although HIPAA’s well known privacy rule doesn’t apply to text messaging any differently than other forms of communication, HIPAA’s security rule presents problems because text messaging is not a secure form of electronic communication. Even if secured on the hospital or health agency’s computers, text messages go through mobile operators, over which the covered entity has no control, and finally to patients, whose phones could be lost, stolen, or otherwise unsecured.
In the AJPH case study, the authors wanted to use text messaging to send follow-up messages to lower-income parents whose children had received a flu shot but needed a second follow-up shot in 30 days. They determined that the original planned targeted messages, which include the child’s name and a reference to a “second flu shot”, technically contained Patient Health Information (PHI) as defined by HIPAA — both the patient’s name and the implication that they had already received a flu shot.
The team was able to craft messages that didn’t include PHI by eliminating the name and making the language more generic. The final message, broken in to two parts, read: “Keep your child protected against the flu. Some kids need a second dose 30 days after they receive their first flu shot.” and “Do you remember asking for a text message reminder for flu vaccine? It’s time! Call a doctor or pharmacy to schedule an appointment.”
Even though for this intervention, eliminating the PHI was a sufficient solution, the case report also looks at what would be required to meet the security standard while leaving the information in. They found that the standard was flexible enough that it could likely be met in the context of text messaging, by getting recipients to sign a security waiver at the time that they signed up for the message. But the writers also suggest that OCR issue a guidance that would make the HIPAA requirements for text messaging more clear.
The biggest point of tension between text messaging and HIPAA is that personalization is considered one of the most effective ways to reach people with texting, but personalized texts are also the most likely to contain PHI.
“Despite inherent risks, public health departments have a responsibility to use communication channels that will reach their communities effectively, particularly in instances in which there is a benefit to the public’s health,” the article says. “Texting is a powerful communication channel, in part because it can be customized. If all personally identifying information is removed, this may eliminate the greatest strength of text messaging.”