Once every two minutes and 43 seconds. No, that’s not how many times toddlers ask a question. It’s how often the average American reaches for his or her smartphone. 

Text messaging has become the preferred method of communication for many individuals, so much so that the average open rate is 98 percent. No wonder, then, that roughly 70 percent of physician practices utilize some form of text messaging to communicate with their patients. Even eighty-seven percent of physicians and 67 percent of nurses use personal mobile devices to support their workflows with encrypted texting.  

Text messaging also enables healthcare payers to connect with their members. In a J.D. Power survey, roughly one-third of commercial health plan members reported connecting with their payer over the past year through text message, mobile app or web — the highest percentage ever recorded. 

By employing text messaging, healthcare providers and payers can facilitate access to care, cut down on phone calls, simplify and streamline appointment scheduling, reduce no-shows and cancellations and improve staff productivity. It’s a scalable digital health tool that enables them to automate and enhance time-consuming administrative tasks. 

The Complexity of HIPAA 

There are rules and regulations for communication with patients, though. The biggest? The Health Insurance Portability and Accountability Act (HIPAA). Under HIPAA, text messaging is compliant provided that administrative, physical and technical safeguards exist to ensure the confidentiality, integrity and security of electronically stored or transmitted protected health information (PHI). 

This often is easier said than done. That’s because the HIPAA Administrative Simplification Regulation consists of 115 pages of legal jargon, definitions, modifications, rules and exceptions. It all boils down to this: if a text message contains PHI, it has to be compliant with HIPAA rules or risk violating the regulation. 

Healthcare providers and payers can better conduct patient outreach and engagement through text messaging when they’re following best practices for complying with HIPAA. They also should ensure that all of their employees, affiliates, physicians and third-party contractors and vendors know and apply HIPAA’s guidelines for protecting PHI. 

Here are five best practices providers and payers should follow to maintain HIPAA compliance while reaping the benefits of a secure messaging solution:

1. Establish procedures and policies to manage who is authorized to access PHI when texting.

HIPAA requires that healthcare organizations and their business associates safely manage who has the privilege and/or right to access, change or distribute sensitive health data. Therefore, access to PHI should be limited to only the amount of information necessary to perform a job. It is up to each covered entity to determine which access controls, software and systems they employ to manage authorized access to PHI related to text messaging software. However, the HIPAA Security Rule requires the following safeguards to ensure HIPAA compliance:

  • Unique User IDs: PHI must be accessed by someone with a unique user identification name or trackable number, allowing covered entities to hold authorized users accountable for their activity while logged into a system containing PHI. Secure text messaging programs require authorized users to use a unique ID to access, send and receive any HIPAA-compliant text.
  • Emergency Access Procedures: In an emergency, covered entities must have operational workflows to access PHI. These procedures should consider what kind of emergencies may require urgent access and who should be granted rights to access PHI in emergency scenarios.
  • Automatic Logoff: Any software containing or integrated with PHI, including a secure text messaging platform, must automatically log users off after a predetermined time of inactivity. This ensures no unauthorized access to PHI via text messages on someone else’s device while it’s still open.
  • Messaging Encryption: Secure text messaging must be encrypted to prevent unauthorized access to PHI (or text messages) to make it unreadable by anyone who has not been granted permission to access it — especially if a device is stolen or lost. When securely texting PHI to another user in the same organization from a mobile device or organizational computer, both the sender and receiver must meet the encryption requirements for a PHI-containing message in transit and at rest. 

2. Implement audit and reporting controls for HIPAA-compliant texting.

The HIPAA Security Rule requires that covered entities and their business associates implement comprehensive audit controls and reporting procedures to document and review activity related to using PHI. This allows them to analyze, identify and mitigate any risks in the technical infrastructure and software security of PHI-related technology. The HIPAA rule applies to any secure text messaging platform that sends messages, stores or manages PHI on organizational or personal computers, including mobile devices. It’s up to the covered entity to determine what audit controls are reasonable and appropriate to protect patient data while messaging. 

3. Ensure PHI is not improperly changed or destroyed during texting.

Maintaining the integrity of sensitive health information is essential, which is why HIPAA states that PHI must not be “altered or destroyed in an unauthorized manner.” If patient information is accidentally or intentionally changed by human error or an information system failure, the integrity of the data is compromised. The HIPAA Security Rule requires covered entities to establish safeguards to ensure the integrity of PHI through security processes or functions. For example, when utilizing HIPAA-compliant texting, technical safeguards must be in place to verify that data integrity is not at risk of being compromised. 

4. Provide proof of identity before sending and receiving messages.

All users who access PHI must authenticate their identity. A secure text messaging program can comply with this rule by requiring users to log in with something unique to them. A user is authenticated when the unique credentials match what is stored in the system. Methods of authentication in compliance with HIPAA may include a password, pin, smart card or key or biometric identifiers. Healthcare professionals who send and receive HIPAA-compliant text messages from their mobile devices must use some credentials to authenticate their identity. 

5. Guard against unauthorized access to PHI during transmission.

For HIPAA-compliant text messaging, it’s essential to establish privacy and security measures that prevent unauthorized access to PHI from any mobile device. Covered entities must meet two specifications:

  • Protect the integrity of PHI during transmission: Similar to the HIPAA Security Rule, covered entities must ensure “the data that is sent is the same as the data received.” This can be achieved by establishing network communication protocols.
  • Encrypt PHI during transmission: As with HIPAA recommendations, covered entities should ensure PHI is encrypted when sent over the internet. Because secure texting relies on an internet connection to send and receive messages, HIPAA requires entities to use encryption and other reasonable safeguards to ensure data is encoded or unreadable to unauthorized users. It is up to each entity to determine how they use encryption by assessing the level of risk involved. 

Talk with our solutions team to understand how our secure two-way text messaging solution will enhance your patient communication and engagement.