Therapists and counselors often use texting to stay in contact with their patients, staff and colleagues. However, HIPAA-compliant texting for therapists can become a serious legal issue if you are not following the guidelines. The Health Insurance Portability and Accountability Act (HIPAA) is the law that protects patient information from being released without permission or authorization. HIPAA violations attract huge penalties with the potential to cripple your therapy practice. State Attorneys can issue fines of up to $25,000 for every breach per category.
(Image source: hipaajournal.com)
This post will show how you can communicate with your patients, staff and colleagues without violating HIPAA laws.
What Does HIPAA Say About Texting?
HIPAA was created to protect the privacy and security of patient information. HIPAA ensures that healthcare providers such as therapists communicate with their patients, staff and colleagues without revealing personal health information (PHI). The policy also dictates how PHI is transmitted with technology.
The most critical factor for staying HIPAA compliant when sending texts is understanding the law. The HIPAA Security Rule created security standards for protecting certain health information held or transferred in electronic form. It essentially operationalized the protections of the HIPAA Privacy Rule by specifying the technical and non-technical safeguards that "covered entities" such as therapists must institute to secure their patients' electronic protected health information (ePHI). These safeguards are summarized as follows:
- Technical safeguards: These cover access control, audit controls, data integrity and transmission security.
- Administrative safeguards: These cover individual access to PHI, workforce training procedures and policies, computer operations controls and contingency plans for data restoration.
- Physical safeguards: These cover facility access controls, including building security and workstation or device security.
While the HIPAA Security Rule does not specify how therapists must secure ePHI that is transmitted via text, it states clearly that you must administer technical safeguards to protect patient information.
In addition, the HIPAA Privacy Rule requires that any PHI you transmit over any form of technology must use a secure connection. Unfortunately, text messages are not considered secure forms of communication as they can easily be intercepted or hacked.
However, there are a few instances when you are allowed to communicate with patients via text message. For example, if you have verifiable consent from your client before communicating via text. This means having a written document outlining the dates and times they are happy to receive messages outside face-to-face therapy sessions.
This written agreement must also outline the content and frequency of these messages. If you send texts to your patients outside this scope or without consent, it violates HIPAA regulations and may result in legal action against you.
HIPAA Compliant Text Messaging Apps
Many text messaging apps are available on both Google Play Store and Apple’s App Store, but few are HIPAA compliant. The most crucial factor in ensuring HIPAA compliance is encryption, which scrambles sensitive data so that only authorized users can read it, though access controls and audit controls are also essential.
It's also essential to check whether an app has been independently audited for security standards by a third-party security organization.
How Do I Send a HIPAA Compliant Text?
It's a bad idea to send text messages that contain PHI because of the lack of technical safeguards. However, there are a few instances when a text message can be HIPAA compliant:
- As already mentioned, therapists must have verifiable consent from their clients before communicating via text outside of face-to-face communication. In addition, you must have informed the patient about the danger of unauthorized disclosure. Both warnings and consents must be recorded.
- Organizations providing onsite clinics as an employee health benefit, or offer self-insured health plans for employees, or function as a middleman between workers, healthcare providers and insurance companies are examples of organizations that may use text messaging in a HIPAA-compliant manner.
- It's also conceivable that the US Department of Health and Human Services temporarily waives HIPAA rules in the wake of a natural disaster, such as an earthquake or hurricane, to allow text messaging. Some, but not all, provisions regarding texting patient data are waived in these situations, and the waiver may be for a set time only or apply to Covered Entities of a particular type.
- Finally, when the therapist uses a purpose-built HIPAA compliant text messaging solution with the required controls and encryption to support HIPAA compliant texting, it is also HIPAA compliant.
How to Ensure Your Communications are HIPAA Compliant
From the preceding, it is evident that it is tough to achieve HIPAA-compliant texting for therapists due to the challenges of implementing the technical safeguards contained in the Security Rule.
The best way to communicate with patients, staff and colleagues, especially where PHI is involved, is to use a secure communication system such as the Central Data Storage encrypted file-sharing system. This is the sure way to ensure that your communications remain HIPAA compliant.
For more information, check out the free trial (no credit card required). We also recommend you download this free file sharing checklist that walks you through various scenarios when sharing PHI information, whether internally, externally, or inter-office, to ensure you are HIPAA compliant when sharing PHI confidential information.