The message from your phone travels over the phone carrier’s network and servers. The sender has no control over what happens to the message once it is sent and no guarantee that it even reached the intended recipient. The message could also remain stored in plain text on the carrier’s server for any amount of time. The sender has no control over who has access to this stored information. These issues are red flags from a data security and HIPAA compliance standpoint.
Does this mean that healthcare providers cannot send text messages at all? No, what it means is that either:
1. The messages sent via regular SMS from the phone carrier must not contain any ePHI (which is highly unlikely in a healthcare setting and defeats the intended purpose of quick timely communication between providers)
2. The healthcare organization needs to deploy a secure messaging solution.
Just like sending any confidential information to another person in the physical world, when sending electronic messages containing ePHI you need to be sure that:
- The identities of the sender and receiver are verified and the message reaches the intended receiver only.(identity authentication)
- No else can read the message if it falls in the hands of the wrong person (message encryption)
- You can trace who saw, read or opened it and when (audit trail)
- you can delete the message from the recipient phone if sent to the wrong address or after a specified amount of time( manage message life cycle)
A number of secure messaging solutions available on the market meet the HIPAA ePHI security compliance requirements. Research these vendors to identify the solution that meets your needs. Satisfy yourself that the vendor has the appropriate data security safeguards in place to ensure the security of your ePHI before you sign a contract. A vendor willing to sign a business associate agreement with your organization is a sign that they understand the importance of ePHI security and have implemented adequate security measures in their solution/service to ensure HIPAA Security Rule compliance.
Implementing secure electronic messaging solutions gives healthcare providers the convenience and data security they need to be more productive and deliver better patient care.