HIPAA Times news | Concise, reliable news and insights on HIPAA compliance and regulations

CMS rules for HIPAA compliance when texting patient data

Written by Farah Amod | Oct 15, 2024 7:44:46 PM

As healthcare professionals increasingly rely on mobile technology for patient care, HIPAA compliance has become a growing concern. The Centers for Medicare & Medicaid Services (CMS) has clarified the rules surrounding text messaging and sharing protected health information (PHI). 

 

Understanding HIPAA requirements

The Health Insurance Portability and Accountability Act (HIPAA) sets standards for protecting patient information. Its privacy and security rules provide strict guidelines for managing PHI, including how it’s transmitted through electronic communication. Healthcare providers must ensure any method used for sending or storing patient data, including text messaging, meets HIPAA’s strict requirements.

According to the memo from the Centers for Medicare & Medicaid Services (CMS), "Texting patient information and the texting of patient orders among members of the health care team is permissible, if accomplished through a HIPAA compliant secure texting platform (STP) and in compliance with the Conditions of Participation (CoPs).”

Read also: What does the Centers for Medicare and Medicaid Services (CMS) do? 

 

Why CMS's texting rules matter

In 2018, CMS made it clear that while texting patient information has become common, texting patient orders between providers and care teams doesn’t comply with their standards. The main issue was ensuring medical records were accurately documented, completed on time, and stored securely. CMS raised concerns about how texting could impact the privacy, security, and integrity of medical records.

Though computerized order entry is still preferred, CMS now allows texting of patient information if secure platforms that meet HIPAA, CoPs, and HITECH standards are used. Healthcare providers need to regularly assess the security of these systems to ensure patient care isn’t put at risk.

 

The larger trend

CMS’s stance on texting came after hospitals expressed confusion over the rules. Some had been told that texting wasn’t allowed, even with secure apps, due to concerns about record retention and confidentiality.

Since then, the use of texting among healthcare teams has continued to grow. A 2022 study by the Regenstrief Institute and Indiana University found that doctors prefer texting over pagers but were frustrated by the high number of messages they receive. The study pointed out the need for clearer communication on how texting should be used among healthcare staff.

 

CMS guidance on texting PHI

Permitted uses of texting

Healthcare providers can communicate PHI via text messaging if the platform adheres to HIPAA security standards. Encrypted messaging apps or HIPAA-compliant texting services are examples of suitable options.

 

Prohibited practices

CMS prohibits using unsecured messaging platforms like consumer-grade apps to send PHI. These platforms, which lack encryption, carry a high risk of data breaches and do not comply with HIPAA.

 

Responsibility for compliance

CMS stresses that it is the healthcare provider's responsibility to ensure compliance including verifying that any texting platform used meets HIPAA requirements and that safeguards are in place to protect patient data.

 

Implementing secure texting practices

To maintain HIPAA compliance when texting PHI, healthcare organizations should take proactive steps, including:

  • Evaluating texting platforms: Assess the security features and HIPAA compliance of any texting platform before using it. Look for encryption, access controls, and audit logging.
  • Developing clear policies: Establish policies for using text messaging in your organization, outlining acceptable practices, security measures, and training protocols.
  • Training staff: Educate staff on HIPAA compliance and the secure use of text messaging for patient data. Ensure everyone understands and follows your organization’s policies.
  • Strengthening security: Implement security measures such as two-factor authentication, remote device wiping, and secure messaging protocols to safeguard PHI sent via text.
  • Ongoing reviews and updates: Regularly review and update texting policies and security measures to keep pace with changes in HIPAA regulations and technology.

 

Benefits of secure texting

Adopting secure texting practices offers several advantages for healthcare organizations:

  • Improved efficiency: Secure texting allows for faster communication and collaboration among providers, leading to quicker response times and more streamlined patient care.
  • Better patient engagement: Patients may feel more involved in their care when they can securely communicate with providers via text.
  • Reduced risk of data breaches: By following HIPAA standards, organizations can reduce the risk of data breaches and avoid legal or financial consequences.

 

How can Paubox help?

Paubox Texting is a HIPAA compliant API designed for patient engagement, allowing seamless delivery of personalized text messages directly to recipients' mobile devices without the need for third-party platforms or passcode-protected portals. Using Paubox's established email encryption standards, this innovative solution ensures the security of PHI while enabling modern patient communication. With support for both iPhone and Android, personalized reminders, test results, and follow-ups can be sent effortlessly, backed by top-rated U.S. support and clear documentation.

Learn more: Introducing HIPAA compliant texting API by Paubox 

 

FAQs

Who does HIPAA apply to?

HIPAA applies to healthcare providers, health plans, and healthcare clearinghouses that handle protected health information (PHI).

 

What makes a text HIPAA compliant?

An email is HIPAA compliant if it includes encryption, secure access controls, and audit trails. So, providers must use a HIPAA compliant texting platform, like Paubox, to protect patients’ PHI.

 

What features make a texting platform HIPAA compliant?

  • Encryption to protect data during transmission
  • Secure user authentication to verify the identity of users
  • Access controls to ensure only authorized individuals can access PHI
  • Audit logs to track and record all communications involving PHI
  • Data backup and disaster recovery plans
  • Business associate agreement (BAA) between the platform provider and healthcare entity

Learn more: HIPAA Compliant Email: The Definitive Guide