How HIPAA hampers text messages for health

By: Jonah Comstock | Feb 20, 2013        

Tags: | | | | |  |

Text MessagingThe new HIPAA omnibus rule spurred a lot of discussion, but as with any legislation, how it affects real workflow isn’t yet certain. A case study has been published in the American Journal of Public Health (AJPH) detailing how HIPAA influences a public health text messaging intervention.

Hilary N. Karasz, PhD, Amy Eiden, JD, and Sharon Bogan, MPH of Public Health-Seattle and King’s County, Washington suggest that although HIPAA’s well known privacy rule doesn’t apply to text messaging any differently than other forms of communication, HIPAA’s security rule presents problems because text messaging is not a secure form of electronic communication. Even if secured on the hospital or health agency’s computers, text messages go through mobile operators, over which the covered entity has no control, and finally to patients, whose phones could be lost, stolen, or otherwise unsecured.

In the AJPH case study, the authors wanted to use text messaging to send follow-up messages to lower-income parents whose children had received a flu shot but needed a second follow-up shot in 30 days. They determined that the original planned targeted messages, which include the child’s name and a reference to a “second flu shot”, technically contained Patient Health Information (PHI) as defined by HIPAA — both the patient’s name and the implication that they had already received a flu shot.

The team was able to craft messages that didn’t include PHI by eliminating the name and making the language more generic. The final message, broken in to two parts, read: ”Keep your child protected against the flu. Some kids need a second dose 30 days after they receive their first flu shot.” and ”Do you remember asking for a text message reminder for flu vaccine? It’s time! Call a doctor or pharmacy to schedule an appointment.”

Even though for this intervention, eliminating the PHI was a sufficient solution, the case report also looks at what would be required to meet the security standard while leaving the information in. They found that the standard was flexible enough that it could likely be met in the context of text messaging, by getting recipients to sign a security waiver at the time that they signed up for the message. But the writers also suggest that OCR issue a guidance that would make the HIPAA requirements for text messaging more clear.

The biggest point of tension between text messaging and HIPAA is that personalization is considered one of the most effective ways to reach people with texting, but personalized texts are also the most likely to contain PHI.

“Despite inherent risks, public health departments have a responsibility to use communication channels that will reach their communities effectively, particularly in instances in which there is a benefit to the public’s health,” the article says. “Texting is a powerful communication channel, in part because it can be customized. If all personally identifying information is removed, this may eliminate the greatest strength of text messaging.”

  • Michael Swiernik, MD

    Without using a third-party app, the article is accurate re: the HIPAA issues of plain text messaging (i.e., provider to patient using their regular SMS on their phones). There is another way to to text message that makes it HIPAA-compliant, and that is to use an app like the one we offer (mHealthText – http:llwww.mobilehealthrx.com), which makes the provider’s side HIPAA-compliant in a secure app while sending SMS messages to the patients, essentially brokering between the two communication methods. Patients can receive PHI via SMS on their phones as long as the provider meets the Privacy Rule requirements for patient communications (basically, the Notice of Privacy Practices says that SMS will be used, and patients can opt to receive it another way). The HIPAA risk has everything to do with the provider’s side of the SMS process, which this app solves.

  • Jeff W.

    Or use Tigertext, it’s that simple!

  • Steve Decker

    Another option is TrustText – it is compliant with the HIPAA privacy and
    security rules https://www.koolspan.com/blog/weekly-word-hipaa/

  • Hon Pak

    Is there any vendor that supports secure text messages for all smart and feature phones?

  • Cliff McClintick

    Absolutely Doc Halo http://www.dochalo.com/ supports iOS, droid, windows, and black berry. Doc Halo is HIPAA compliant with a health care centric approach!

  • Matt E.

    If you are looking for a HIPAA compliant text messaging app for your healthcare organization or for your telephone answering service (TAS) check out miSecureMessages at https://misecuremessages.com/hipaa/

  • DocsInk

    Little late to the party… but we do offer HIPAA secure chat and text messaging at https://dev.docsink.com/docsink_hipaa_compliant_texting.html

    Ours is a bit different as we also connect the dashboard and administrators and staff to the providers from their PC or dashboard. We’re getting some great reviews for it and it’s free to try for 60 days.