HIPAA-compliant Text Messaging for Care Professionals
(Note: if you’re a family caregiver, see HIPAA-compliant Text Messaging for Family Caregivers)
As a health care professional, you need to be able to easily text message your care team. You may even want to send texts and information with patients and family.
But you have, on more than one occasion, used the popular text messaging platforms to communicate. WhatsApp, iMessage, SMS or other platforms aren’t HIPAA-compliant, but if the patient doesn’t care, why should I make a big deal out of it, right?
Unintended Consequences
But here’s the thing: safeguarding the privacy and security of personal health information is part of the health care profession. Using non-HIPAA-compliant messaging apps may actually have negative, unintended consequences. That is why it is so important to be careful how you share health information using mobile devices and apps.
Messaging is the #1 function used on mobile devices according to Pew Internet Research. But none of these messaging apps are HIPAA-compliant
iMessage is NOT HIPAA-compliant
Facebook Messenger is NOT HIPAA-compliant
WhatsApp is NOT HIPAA-compliant
SMS is NOT HIPAA-compliant
Secure Messaging for Healthcare
The US government has privacy standards for healthcare information transmission, transfer, and storage to protect patients’ personal health information (PHI). You may have heard of “HIPAA”, also known as “The Privacy Rule.”
The Health Information Portability and Accessibility Act regulates how healthcare providers are supposed to handle the PHI of patients. The Privacy Rule extends to providers and how they communicate with patients and families as well. And since NONE of the popular messaging apps meet this standard of security and privacy, you shouldn’t use them as a care professional.
What Qualifies as Personal Health Information?
Diagnosis
Condition/Disease Name
Medications (brands, generics, OTC, dosage, frequency, etc.)
Doctors (by name or type of doctor)
Care Instructions
Medical Equipment
Treatments (medications, supplements, rehab exercises, activities of daily living)
So whenever you’re talking to staff, patients, or family, protect their PHI. That sharing can have consequences if not done with an eye on security and privacy.
What Are The Risks?
We have now entered the age of hacking and information security is at the forefront of the national discussion in areas including national security, elections, cloud storage, and yes, healthcare.
In the past two years, Apple, Facebook, Yahoo, and other tech heavyweights have revealed that their systems have been hacked with millions of records being stolen. In healthcare, however, the privacy breaches tend to be personal in nature—like healthcare providers revealing the private health information of celebrities. Why? Because healthcare technology is held to a much higher standard of security.
Five Consequences of NOT Using a HIPAA-compliant Text Messaging App
1. Discrimination. The main area people worry about is discrimination by employers or insurance companies. Employers could use PHI to find ways to terminate employment for patients under legal means, even if the health condition is the main reason. Losing one’s job can have devastating consequences for healthcare access and quality. Because health premiums are calculated by risk pools, people with diagnosed health conditions tend to pay higher monthly premiums for insurance coverage. It’s amazing that a small thing like sending a text message over unsecured apps could lead to such NEGATIVE outcomes. Don’t let it happen.
2. Outing a Patient’s Condition. In sharing PHI over non-secure apps, you may inadvertently “out” your patient’s condition. How, you ask? Because the popular messaging apps do not have privacy protections that automatically log out users if they haven’t logged in for a period of time. That means if your patient loses their phone, anyone who recovers it can access PHI. Even if the person leaves the phone out and it is picked up by a friend of theirs and accessed, your patient’s information could be accessed. This type of thing happens all the time and you should keep that in mind when having healthcare conversations on unprotected, non-secure apps.
3. Taking Away Your Patient’s Right to Privacy. Privacy is a right that we are all guaranteed by the US Constitution. But if you’re sharing the PHI of a patient over an unsecured app, you have in effect taken away their right to privacy. There are channels that you can use to transmit PHI securely. If you choose NOT to use these channels, you are taking away a fundamental right out of personal convenience. That isn’t fair to your patient. They trust you to care for them, so they trust you with their health information. Do not betray that trust.
4. Giving Away Your Right to Health Record Storage. The Privacy Rule not only ensures the security of your health information across electronic pathways, it also mandates that records be kept for six years. This means that you have to store health information that can be used to help patients in the future. If you’re not using a messaging app secure for healthcare, then you’re giving away your patient’s right to health data storage. The popular messaging apps don’t retain messages for more than a few months to a year. Don’t give away the right to data retention. It can save your patient’s life—and potentially others.
5. Losing Valuable Data. If you’re having conversations about the health of patients on unsecured apps, the information you’re sharing isn’t transferrable to a health record. This means that you as a healthcare professional may not recall that information or where it is located when designing treatment plans. With a HIPAA secure messaging app, many of the data are shareable to your patient’s electronic medical record (EMR). That is a major benefit of using apps secure for healthcare and a major lost opportunity when not using one.
Make sure you respect your patient’s right to privacy and security. Respect YOUR OWN right to privacy as well. All of these issues apply to you and your healthcare as well. You wouldn’t want anyone in your family outing your personal business to others whether or not it was intended.
What You Should Do
Use a HIPAA-compliant text messaging app like Care3 (request a demo), to protect your patient’s personal health information while texting. Care3 is the most full-featured healthcare app on the market. We offer affordable pricing options to meet your needs. BAA required for covered entities.