The Technical Safeguards of the HIPAA Security Rule

The technical safeguards of the HIPAA Security Rule are the most relevant towards answering the question “When is texting in violation of HIPAA?” This section of the HIPAA Security Rule concerns access controls, audit controls, integrity controls, methods for ID authentication, and transmission security mechanisms when PHI is being transmitted electronically.

The technical requirements of the HIPAA Security Rule are a series of standards intended to prevent unauthorized access to PHI and protect the integrity of Protected Healthcare Information while it’s in transit. The requirements concern who has access to PHI, how it’s used, how it’s protected against inappropriate alteration, the methods for ID authentication, and transmission security. There are also requirements relating to audit controls to show that the technical safeguards are being implemented and enforced.

The requirements apply to texting patient information by SMS, communicating by IM, or sending an email beyond a healthcare organization´s internal servers. They require that access to PHI is limited to those who need access to do their jobs (authorized users), that a system of monitoring access to PHI is implemented, that authorized users log into and out of a communications solution, and that all PHI send beyond an organization´s network is encrypted. There also has to be automatic log-off from devices used to text patient information to prevent unauthorized access when a device is unattended.

Among the requirements are:

  • Access to PHI must be limited to authorized users who require the information to do their jobs.
  • A system must be implemented to monitor the activity of authorized users when accessing PHI.
  • Those with authorization to access PHI must authenticate their identities with a unique, centrally-issued username and PIN.
  • Policies and procedures must be introduced to prevent PHI from being inappropriately altered or destroyed.
  • Data transmitted beyond an organization´s internal firewall should be encrypted to make it unusable if it is intercepted in transit.

Standard “Short Message Service” (SMS) and “Instant Messaging” (IM) text messages often fail on all these counts. Senders of SMS and IM text messages have no control over the final destination of their messages. They could be sent to the wrong number, forwarded by the intended recipient to somebody else or intercepted while in transit. Copies of SMS and IM messages also remain on service providers´ servers indefinitely with no means of remotely retracting or deleting them.

There is no message accountability with SMS or IM text messages because anybody could pick up someone´s mobile device and use it to send a message – or indeed edit a received message before forwarding it on. For these reasons (and many more) communicating PHI by standard, non-encrypted, non-monitored and non-controlled SMS or IM is texting in violation of HIPAA.

Controlling User Access
HIPAA Responsibility