As healthcare professionals increasingly rely on mobile technology for patient care, HIPAA compliance has become a growing concern. The Centers for Medicare & Medicaid Services (CMS) has clarified the rules surrounding text messaging and sharing protected health information (PHI).
The Health Insurance Portability and Accountability Act (HIPAA) sets standards for protecting patient information. Its privacy and security rules provide strict guidelines for managing PHI, including how it’s transmitted through electronic communication. Healthcare providers must ensure any method used for sending or storing patient data, including text messaging, meets HIPAA’s strict requirements.
According to the memo from the Centers for Medicare & Medicaid Services (CMS), "Texting patient information and the texting of patient orders among members of the health care team is permissible, if accomplished through a HIPAA compliant secure texting platform (STP) and in compliance with the Conditions of Participation (CoPs).”
Read also: What does the Centers for Medicare and Medicaid Services (CMS) do?
In 2018, CMS made it clear that while texting patient information has become common, texting patient orders between providers and care teams doesn’t comply with their standards. The main issue was ensuring medical records were accurately documented, completed on time, and stored securely. CMS raised concerns about how texting could impact the privacy, security, and integrity of medical records.
Though computerized order entry is still preferred, CMS now allows texting of patient information if secure platforms that meet HIPAA, CoPs, and HITECH standards are used. Healthcare providers need to regularly assess the security of these systems to ensure patient care isn’t put at risk.
CMS’s stance on texting came after hospitals expressed confusion over the rules. Some had been told that texting wasn’t allowed, even with secure apps, due to concerns about record retention and confidentiality.
Since then, the use of texting among healthcare teams has continued to grow. A 2022 study by the Regenstrief Institute and Indiana University found that doctors prefer texting over pagers but were frustrated by the high number of messages they receive. The study pointed out the need for clearer communication on how texting should be used among healthcare staff.
Healthcare providers can communicate PHI via text messaging if the platform adheres to HIPAA security standards. Encrypted messaging apps or HIPAA-compliant texting services are examples of suitable options.
CMS prohibits using unsecured messaging platforms like consumer-grade apps to send PHI. These platforms, which lack encryption, carry a high risk of data breaches and do not comply with HIPAA.
CMS stresses that it is the healthcare provider's responsibility to ensure compliance including verifying that any texting platform used meets HIPAA requirements and that safeguards are in place to protect patient data.
To maintain HIPAA compliance when texting PHI, healthcare organizations should take proactive steps, including:
Adopting secure texting practices offers several advantages for healthcare organizations:
Paubox Texting is a HIPAA compliant API designed for patient engagement, allowing seamless delivery of personalized text messages directly to recipients' mobile devices without the need for third-party platforms or passcode-protected portals. Using Paubox's established email encryption standards, this innovative solution ensures the security of PHI while enabling modern patient communication. With support for both iPhone and Android, personalized reminders, test results, and follow-ups can be sent effortlessly, backed by top-rated U.S. support and clear documentation.
Learn more: Introducing HIPAA compliant texting API by Paubox
HIPAA applies to healthcare providers, health plans, and healthcare clearinghouses that handle protected health information (PHI).
An email is HIPAA compliant if it includes encryption, secure access controls, and audit trails. So, providers must use a HIPAA compliant texting platform, like Paubox, to protect patients’ PHI.
Learn more: HIPAA Compliant Email: The Definitive Guide