Guest Column | October 25, 2019

HIPAA Compliance In The Age Of Mobile Messaging

By Ian Reither, Telnyx

HIPAA Text Messaging

Mobile messaging has permeated a variety of industries, offering anyone with access to a smartphone the opportunity to quickly and easily communicate across their organization in an accessible and familiar manner. For an industry as demanding and fast-paced as healthcare, mobile messaging has emerged as a particularly valuable tool. 

Physicians use the technology to communicate with colleagues, coordinate referrals and even notify patients of diagnostic results. Patients depend on mobile messaging for appointment scheduling and reminders, and thanks to the rise of telemedicine, the technology is also being used for ongoing care management and medication monitoring.

HIPAA Standards And BAAs Must Be Applied To The Transmission Of ePHI
Without a doubt, the first concern that comes to mind given the rise of mobile messaging across the healthcare industry is the security of transmitted patient data. Of course, HIPAA standards were designed with the express purpose of protecting sensitive patient data and regulating how a covered entity must handle personal health information (PHI). Any covered entity therefore needs to have measures and policies in place to restrict PHI access to only those with explicit permission. And for third parties constituting business associates who may not be HIPAA compliant, Business Associate Agreements (BAA) should be put in place to hold third parties accountable for protecting the PHI they have access to.

The electronic transmission of PHI via mobile messaging or SMS texting is not immune from HIPAA standards and BAAs. Rather than prohibiting mobile messaging, HIPAA requires that covered entities and business associates acting on their behalf implement administrative, physical and technical safeguards when transmitting or storing electronic PHI (ePHI). HIPAA doesn’t recommend specific safeguards to protect ePHI sent via mobile messaging — opening up many healthcare organizations and their patients to a myriad of security risks. 

HIPAA’s Privacy Rule states that whether a use case implicates HIPAA and BAAs (or falls within limited exceptions) is a fact-specific determination. Evolving technology means evolving factual scenarios. Rather than simply relying on vendor partners’ interpretations of HIPAA as it pertains to new facts, cutting-edge companies should focus on ensuring best practices to assess and mitigate security risks associated with PHI transmissions. HIPAA’s Security Rule provides a helpful framework for assessing and mitigating risks associated with ePHI transmissions. 

Technical Best Practices For Mitigating Security Risks
For example, key technical safeguards included within the HIPAA Security Rule that are worth reviewing before messaging any ePHI include the following controls: Unique User Identification, Automatic Logoff, Encryption/Decryption, Auditing, Integrity Management, Authentication and Transmission Security. Equally important to ensuring all ePHI remains HIPAA compliant during text transmissions is conducting a risk analysis to determine where ePHI lives within the organization and what risks threaten it (e.g., natural disaster, malicious breach, employee negligence, etc.)  

In addition to reviewing technical safeguards and conducting a risk analysis, healthcare organizations should adhere to the following best practices to ensure HIPAA compliance while transmitting ePHI via mobile messaging:

  • Confirm patients’ communication preferences. As mentioned previously, BAAs hold third parties who may not be HIPAA compliant accountable for protecting the PHI they have access to. However, if a third party with access to PHI doesn’t have a BAA in place, healthcare organizations are unable to guarantee HIPAA compliance. As a result, it’s in everyone’s best interest to ask patients for their communication preferences (i.e., explicitly ask them to “opt in” to mobile messaging communication as a part of their HIPAA Compliance form). Also, outline specific communication options, such as whether a physician can leave a detailed message on a patient’s voicemail or share information with a designated family member, as this helps clarify how the covered entity will protect ePHI and engage with patients outside their walls.
  • Implement end-to-end data encryption. When storing mobile messaging data in the cloud (as is required), it must first be transmitted. It’s therefore critical that ePHI is protected from unauthorized and malicious access during the transit to the cloud. Encryption alone isn’t enough. Make sure the providers you select to store and backup your data offer end-to-end encryption, meaning all data will be encrypted even during transit.
  • Activate audit trails. Any healthcare communications platform — especially mobile messaging — needs to include an audit trail to monitor who sent what and when. Make sure all mobile messaging correspondence is collected and stored as part of a patient’s health record and that proper document retention policies are enforced. 

Ensuring Constant And Thorough Security Is Paramount
Mobile messaging has introduced a simple and cost-effective way to communicate ePHI. As a result, text messaging solutions designed explicitly for healthcare organizations will continue to enter the market; however, it’s imperative that the various risks stemming from mobile messaging vulnerabilities are recognized. Before leveraging text messaging to optimize the efficiency of your healthcare organization, take the time to evaluate the corresponding risks and establish a thorough security protocol to ensure compliance with HIPAA. In doing so, the potential for unauthorized ePHI use or disclosure can be avoided, and the threat of devastating data breaches can significantly be diminished.

About The Author

Ian Reither is COO for Telnyx.