Is Texting Medical Records HIPAA Compliant?

Texting is fast, easy, and convenient. According to Statista, Americans sent 2,200 billion text messages in the United States in 2020. It’s a great way to keep in touch with friends, family, and colleagues that can help convey all sorts of information. With this in mind, it’s fair to ask what role texting should play in healthcare.

Is texting medical records HIPAA compliant?

Texting via Short Message Service (SMS) is a fast and easy way to exchange information between two people. It’s similar to email in this regard, but with several additional weaknesses and greater limitations. Unfortunately, the lack of security and confirmation measures makes this method a threat to HIPAA compliance.

That being said, there are still certain situations where texting protected health information can be compliant. If a patient absolutely demands that medical information be texted to them and they sign the proper authorization, it’s possible for healthcare providers to send them this information in the requested format without penalty.

The point of HIPAA compliance isn’t just to meet a set of standards, however. Healthcare professionals and their business associates must protect their patients from unauthorized access to their private information. 

SMS messaging is not a great way to safeguard protected health information. We will dive into the specifics shortly, but first, let’s cover essential basics.

HIPAA includes several various rules which regulate the different aspects of the release of information. Among these, SMS messaging sets off red flags for both the Security Rule and the Privacy Rule. 

To learn more about HIPAA, click here.

Broken down to the most basic explanation, these rules combine to ensure appropriate security measures are in place because patients have a right to privacy regarding personal health information. They set baseline regulations in occasionally vague language to accommodate the evolving nature of health information technology (HIT).

Your staff must take special care to meet HHS expectations based on the healthcare industry and environment. So in what ways does SMS messaging generally fail to meet HIPAA expectations?

What are the cons of sharing information via SMS?

In addition to the security weaknesses mentioned in the previous section, there are further issues that make SMS an unreliable option. In this section, we will discuss some of the major weaknesses of texting protected health information.

The Security Issues

The Security Rule outlines the technical, administrative, and physical safeguards required to compliantly release medical information. These include several security measures that most SMS cannot provide.

First is encryption. This is when data is converted into illegible code that can only be unlocked via a key. In end-to-end encryption, the data is encrypted on the servers and computers of both the sender and receiver. 

Standard SMS is not encrypted on either end, which means that the data is more vulnerable to hackers. This type of messaging can be encrypted, but it must meet the safe baselines for HIPAA compliance. 

For a frame of reference, ChartRequest encryption is 128- to 256-bit, which shows the number of characters for each key. It is also end-to-end and SSL, which means different keys are generated on each end. Together with our many other risk mitigation measures, nobody is breaking in.

Modern computers are powerful, however, and lesser encryption is becoming easier and easier for hackers to brute force. With the steep monetary penalties associated with HIPAA violations, it’s not worth entrusting protected health information to lesser technology.

There’s also no way to reverse human error with SMS. If your team sends a text message to the wrong number, it’s likely that an unauthorized person will receive it. 

Similarly, there’s no way for the sender to provide key data in the case of an audit. It’s impossible for the sender to prove that the intended recipient was the only viewer.

To summarize, SMS can be made HIPAA compliant but is generally a less secure method of sharing protected health information. 

The Efficiency Issues

SMS messaging connects users between two cell phones. This means that transferring information requested via text from a server generally requires access to the server on the phone. If this cannot be securely achieved, the only other option is a complicated, secure transfer process. 

Even ignoring the additional risk and labor healthcare workers face when sharing protected health information via text, patients suffer too. One major issue is the data transfer size limits.

SMS messages are definitely hindered by their character limits per message, which is a measly 160 characters. Larger messages are split into multiple texts, but these systems also face issues when the initial message is too large.

These limits affect more than just standard text messages. Media files like pictures and videos often fail to send due to their size. The largest file size that can be sent via a Multimedia Messaging System (MMS) is usually 1.2 megabytes per image and 3.5 megabytes per video.

These limits are inconvenient at best, and unworkable at worst. If a patient requests images via text to share with their healthcare provider for whatever reason, it’s not guaranteed that they could even be made that small without sacrificing essential image quality.

Additionally, not all phones have search functionality built-in for SMS texts. Not only is it harder to find a specific message as time passes, but the messages can be easily lost. Accidental deletion, a broken device, or a thief can make data vanish from the user permanently.

Backing it up helps protect the user from losing their data, but that also creates more avenues for potential breaches. Plus, not all phones can easily back up files. This mobile phone ownership data collected by the Pew Research Center implies that 12% of Americans use non-smartphones. 

Should healthcare providers never use SMS and MMS?

Given the poor security and inconvenience of SMS and MMS messaging, a knee-jerk reaction may be to avoid them altogether. There are plenty of positive aspects of using text messaging in a healthcare setting, and ways to do so without risking HIPAA or other legal violations.

The Telephone Consumer Protection Act (TCPA) requires you to receive written consent before sending commercial text messages to your patients. You can ask for this consent when they provide their phone number. 

Be sure to explain the risk of unauthorized disclosure of their protected health information in the authorization. This must be done if any PHI is being shared via text, even just the patient’s name. You must also provide an opt-out option in case they change their mind.

For patients who have opted in, the top use of text messaging for healthcare professionals is appointment reminders. Once you’ve acquired this authorization, don’t treat it like a free pass to send PHI. Try to avoid any specific information.

For example, you may include:

  • Their name
  • The time and date of the appointment
  • The name of the organization. If the name of the organization would disclose the type of treatment, consider using other identifiers. 
  • Phone number

In addition to improving patient retention by reminding them of upcoming appointments, these texts provide patients an opportunity to reschedule or cancel. This article by SCI Solutions found that U.S. healthcare providers are losing approximately $150 billion annually to no-shows.

This interruption in care can also damage the patient’s health in the long run. According to this article by AthenaHealth, once a patient misses an appointment they’re far less likely to ever return.

It’s definitely worth utilizing text messaging in healthcare, but we certainly do not recommend sharing more sensitive information this way.

What about similar mobile messaging apps?

Some features of mobile messaging apps may seem like a similar, accessible solution for sending healthcare messages. Unfortunately, the trade-offs are not worthwhile in most cases. 

Let’s look specifically at WhatsApp, a company that reported $5.5 billion in revenue in 2020 with 2 billion users. While end-to-end encryption was added in 2016, there are still some unexpected compliance issues. The app doesn’t require a password for users to view messages. This means that anybody who gains access to a phone can easily access every message saved there.

Next, the app automatically saves every photo shared to the device that receives it. In many cases, the device will automatically back up shared images to a cloud service. This creates yet another point of access for protected health information.

Generally speaking, platforms that are not specifically designed for HIPAA compliance generally have issues that make them unsafe for PHI. There are mobile messaging apps that are compliant, but it’s essential to put in the legwork to prove they’re secure.

How do you release records via text?

If you’ve reached this point and still wish to release medical records or other HIPAA-protected information, it is possible. There are two avenues you can take.

First, you can inform the patient of the risks associated with their request and sign a waiver authorizing the release. While this technically does protect your organization, it does nothing to protect the patient. 

With the risks associated with medical records breaches, it’s important to protect your patient’s personal information. While they may wish to just sign the waiver for convenience, there aren’t many things more inconvenient than identity theft. 

A better option is to enlist the services of a specialized HIPAA-compliant SMS solution to handle all text-related communications. Be sure to investigate their encryption standards and other security precautions before sending any protected health information via any platform.

Next, start with the basics of any request. Your team must verify that the patient signed a valid authorization form. A valid form should include:

  1. Description of the requested information
  2. Name of the patient and/or requestor
  3. Name of the recipient
  4. Reason for the disclosure
  5. Expiration date or event
  6. Signature of the patient or representative with the date

Once this is verified, retrieve the records in accordance with the “Minimum Necessary” rule. This, simply put, means you should only be releasing the minimum records necessary to fulfill a request. Your team must comb through the records to make sure irrelevant information is not included.

Once you’ve collected the relevant records, double-check to make sure they are 100% accurate for the request. When you feel confident that you’ve fulfilled the request, be sure to double-check the recipient’s phone number.

ChartRequest has built-in secure messaging

ChartRequest is a dedicated medical records exchange solution that provides a safe and efficient alternative to antiquated data sharing methods. We’ve already briefly discussed the security features that make ChartRequest a safer option than SMS and MMS, but that’s not the only benefit.

ChartRequest makes it easy to securely leave digital messages to healthcare providers via the provider chat function. This is built-in to each request and ensures that no unauthorized eyes can view private messages. 

Because the connection with the healthcare provider is made before any data can be exchanged, there’s no more need to worry about sending information to the wrong number. You can rest assured that the requestor – and only the requestor – will receive the message.

In addition, ChartRequest doesn’t face the same measly size constraints as SMS and MMS. Our platform facilitates the exchange of protected health information. With ChartRequest, your team can fulfill every request, regardless of the size of the records.

ChartRequest also helps protect healthcare organizations from HIPAA audits with our automated audit log. Our software logs every interaction with each request, tracking essential information to pinpoint the cause of any potential errors. In the case of an audit, this log can prove to HHS that there were no unauthorized viewers in any part of the records exchange.

Finally, ChartRequest can easily integrate into your website, providing patients a simple and direct path to requesting their records. We provide all healthcare professionals with scripts and guides to help guide your requestors to our secure platform.

Don’t trust sensitive information to antiquated methods. To learn more about how ChartRequest can help you ensure HIPAA compliance, click here.