By Chris McCarthy on January 13, 2016
Let me start with a disclaimer: I am not a lawyer. None of this is, or should be construed as, legal advice. You should definitely consult an actual lawyer before making serious decisions about HIPAA, because it is complex well beyond the scope of a blog post like this, and carries serious repercussions for violations. With that out of the way, let’s get started.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA), updated by 2013’s Final Omnibus Rule, in conjunction with 2009’s Health Information Technology for Economic and Clinical Health Act (HITECH Act) provides standards for the handling of certain health information by certain health care entities and their associates. Basically, it prevents health care providers from handing out confidential health information without patient permission, and sets up standards for protecting that information from theft.
The first concept for understanding this act in greater detail is that of a “Covered Entity”. A Covered Entity is any group or person to which HIPAA applies, and which must comply with the information security standards set forth therein. Broadly, there are four types of Covered Entity: health care providers, health plans, health care clearinghouses, and business associates of the above. Typically, entities in this last category will have signed explicit Business Associate Agreements with whatever health care related entity they are working with. In any event, whenever these Covered Entities handle information about patients, they must ensure they do so in a way that complies with HIPAA’s privacy and security standards.
This brings us to Protected Health Information, the kind of information protected under HIPAA’s privacy and security regulations. Protected Health Information is any personally identifiable information about the health, mental or physical, of a person. This includes not just their state of health, but also their care, and billing related to that care. Basically, if a piece of information is about a person’s health, and it can be identified as belonging to that person, it is protected. If information has been de-identified (that is, any possible way of identifying the person to whom it applies has been removed) then it is no longer so protected.
There are two components of HIPAA that Covered Entities really care about when dealing with Protected Health Information: the Privacy Rule and the Security Rule. The Privacy Rule is more general, and prevents Covered Entities from widely disseminating their patients’ confidential information without patient consent. As long as the person with whom you are communicating has given you permission to share information with them through SMS, this Privacy Rule should provide little barrier to HIPAA compliant SMS communication. The Security Rule applies exclusively to electronic Protected Health Information, and is really where the difficulties arise when considering how HIPAA interacts with SMS.
According to the Security Rule, any Protected Health Information created or stored electronically must be protected by three kinds of safeguard: administrative, physical, and technical. Administrative Safeguards are internal policies that control how internal staff can access and interact with Protected Health Information. Physical safeguards are safeguards that protect the physical tools and facilities used to access, modify, and control Protected Health Information. Technical safeguards are features of the technology per se that control and monitor who can access, edit, and control Protected Health Information. Unfortunately, by its very nature SMS cannot adequately implement any of these safeguards, and thus cannot comply with the Security Rule.
The biggest hole in terms of HIPAA compliance with SMS is the fact that all messages must pass through one of the wireless service providers. This means that all that Protected Health Information must pass through their servers, and exist on their system, in order to reach its destination. While all wireless providers have their own data security measures, those measures vary from company to company and in any event are almost certainly not designed with HIPAA in mind. And in order for your data to pass through them, they would have to be. Using a provider in this way effectively makes it a Business Associate, and means it too must comply with HIPAA standards. While not strictly impossible, it is highly unlikely that any provider would sign a Business Associate Agreement and comply with HIPAA’s standards. And if that provider works with anyone else in the process of transmitting your data, that third entity must also agree to be HIPAA compliant. In this regard, using any provider to transmit Protected Health Information is not possible while maintaining HIPAA compliance.
On top of all this, a mobile carrier couldn’t be HIPAA compliant even if it wanted to. SMS is not encrypted, which means the data can theoretically be intercepted by anyone. While the sheer volume of messages being sent at any given time means that targeting particular individuals is nearly impossible, this does not prevent mass interception of messages and therefore any Protected Health Information send by way of them. Also, unlike many features on a phone, there is by default no way for a person to password protect their SMS functionality, further decreasing the security of SMS communication. This basically means proper Technical Safeguards for SMS are impossible. SMS is an inherently insecure method of communication; no sensitive information, Protected Health Information included, should be sent via SMS.
Furthermore, when using SMS to communicate with patients, there is another major potential problem: the patients themselves. The simple fact of the matter is there is no guarantee that patients will take sufficient care with their mobile devices that you can really say their information is safeguarded. If a patient doesn’t lock their phone, anyone who can physically acquire it can see whatever conversations you may have had with them. This doesn’t even have to involve something as nefarious as theft. If a patient isn’t as careful as they might be in lending out their phone, then any administrative safeguards taken on your end are meaningless. Even something as simple as a change in phone number could be a huge security flaw. If the patient doesn’t let you know of the change in number quickly enough, you could be sending out Protected Health Information to the number’s new owner.
Now, there are HIPAA compliant alternatives to SMS. These can reproduce much of SMS’ functionality, and maintain proper security through encryption, password protection, and a myriad of other procedural and technical methods. These services can recreate much of the flow of SMS interaction, and probably even provide a more effective communication tool than email. But, these are alternatives, not SMS itself. Be incredibly wary of anyone claiming to provide HIPAA compliant true SMS; because of the security flaws inherent in the medium, this is impossible. Even for the SMS-like alternatives, it is important to remember that SMS has certain advantages that they cannot replicate. Perhaps the most important is penetration in the consumer population. Since these SMS alternatives are built as mobile apps, they are restricted to people who own smartphones. 90% of people in the US own cell phones; only 64% own smart phones. And even more so than cell phone ownership, smartphone ownership is lower among certain key at-risk groups, including the poor and the elderly. In summary: be careful when looking for a HIPAA compliant text message service. If it can offer the broad population access of SMS, it can’t be HIPAA compliant; if it is HIPAA compliant, it can only reach a fraction of the audience that SMS can.
That doesn’t mean SMS surveys cannot have a place for Covered Entities. It’s just especially important to make sure you don’t reveal too much information when communicating via SMS. Avoid asking about specific medical conditions or history, and make sure you do not allow patients to get that information about themselves through SMS. Appointment reminders (so long as they don’t get into medical/financial detail) are probably okay, as are questions about the experience in a non-medical context. Just make clear to patients that SMS is not a medium through which you will convey or solicit any kind of Protected Health Information. And remember: SMS can never be HIPAA compliant.