We live in a fast-paced, digital world where information is shared more quickly than it ever has been. Between high-speed computers, smartphones, and the constant “ping” of a new notification, speed is the name of the game when it comes to how we communicate with each other.
Many organizations subject to HIPAA may be wondering whether or not it is safe to communicate PHI via text message or over the phone. In this blog post, we’ll walk you through relevant HIPAA requirements and potential solutions, so you can make informed decisions about how to keep your information secure in and out of transit.
Why sending PHI over phone or text could be a security issue
Many methods exist for transmitting PHI via electronic means, some with more advanced levels of security than others. Texting and calling both present similar potential vulnerabilities, including a lack of access controls, audit controls, and encryption capability. Under HIPAA, all PHI must be encrypted not only in transit, but also at rest and in storage. In short, all possible entry points must be covered.
While encrypted email, efax, and other solutions are more secure, HIPAA does not explicitly prohibit sending PHI over text or over the phone. However, in order to be compliant, there are some safeguards that need to be in place. These measures will ensure that all information sent remains confidential and safe from potential security breaches.
One safeguard you can implement is 2-factor authentication (2FA). Applying this to all kinds of accounts is generally best practice, but we especially recommend it when using text messaging. If your organization also has a BYOD (bring your own device) policy, these safeguards will be doubly important. If you want to know more about safeguards that can help you transmit PHI safely, you can read more here.
So, is text messaging ever fully HIPAA compliant?
While text messaging is not HIPAA compliant out of the box, there are compliant solutions. HIPAA compliant text messaging apps have recently become popular with medical practices and other health organizations who need to transmit PHI quickly. These apps work like any other messaging apps (WhatsApp, Facebook Messenger, etc.), except they operate within a secure, encrypted network that complies with HIPAA regulations. Some of them even allow voice calls, video calls, and the ability to share files and images. That way, you are not limited to just one type of communication. Data can also be retracted or deleted if a device is stolen, ensuring that all PHI remains secure.
Any third party working in association with or providing services to a Covered Entity or Business Associate is considered a Business Associate or Business Associate Subcontractor, respectively. You must obtain either a Business Associate Agreement (BAA) or a Business Associate Subcontractor Agreement (BASA) with the contractor, which, in the case of text messaging, would be whatever messaging app you decide to use. If you do not have a BAA or BASA in place with the provider, their service is not acceptable for the transmission of ePHI.
Are voice calls HIPAA compliant?
Voice calls are HIPAA compliant, and are covered under the conduit exception. The conduit exception applies to the U.S. Postal Service, internet providers, telephone providers, etc. The conduit exception is very narrow and applies mainly to entities that transmit and do not hold any information. When it comes to relaying PHI over the phone, you have to be careful. A phone service is covered under the conduit exception, but if the company is providing a voicemail system that has ePHI, or recording phone calls for you to review later, then you would need to get a BAA with that provider.
If a client gives consent to be contacted by a Covered Entity, HIPAA rules need to be respected. Have the client confirm their identity by verifying a few pieces of information that are particular to that individual. The last four digits of a social security number, address, and phone number are typical examples.
If your business is considering employing the use of texting or calling to share PHI, do your research and make sure you are using an app that helps you stay compliant. Ease of communication is not worth putting the data of your clients or employees at risk. If time constraints and the nature of the information permit, consider other more secure communication solutions, such as efax, encrypted email, or a similarly-secured online portal. Protecting the security of confidential information is your utmost responsibility.
How can Total HIPAA help?
Here at Total HIPAA, data security is of the utmost importance to us. We are a team of professionals with the knowledge and expertise to guide you toward a specific plan for your business, that will not only help you protect your data, but your reputation as well. With the help of Total HIPAA, you can minimize your risk of a data breach and better understand what you need to do to stay up to date with all relevant procedures.
For more info on HIPAA training, visit our blog here! If you would like to know more about our online HIPAA training or our customized compliance solution, HIPAA Prime, email firstname.lastname@example.org today. Or, get started here.