SMS texting makes it easy and convenient for physicians and healthcare staff to communicate. It also drives patient engagement and improves operational and administrative efficiencies. But how safe is it? Is SMS texting HIPAA compliant?
HIPAA rules don’t explicitly mention SMS text messaging. But HIPAA Covered Entities (CE) and Business Associates (BA) must command technical control over any form of communication, such as email and messaging, involving electronic Protected Health Information (ePHI) — and that includes SMS texting.
For example, SMS texts are always in violation of HIPAA Rules if they contain any ePHI without the patient’s permission. Beyond that, SMS texting is not HIPAA compliant because it isn’t encrypted.
Healthcare organizations must maintain technical control
ePHI that is transmitted outside of technical control, such as a firewall, has to be protected by encryption to NIST standards. Technical control must not only allow patients to access their ePHI, but must also ensure the confidentiality and integrity of the ePHI at all times.
Device control can also be a problem. If a sender or receiver of an SMS text message containing ePHI loses their device, they lose technical control. And, of course, SMS texts can be accidentally sent to the wrong person.
HIPAA penalties are steep — $50k per violation per day, up to $1.5M per year. The only way for Covered Entities and Business Associates to take advantage of the benefits of SMS texting and avoid violating HIPAA rules is to adopt a secure text messaging solution.
Secure SMS text messaging solutions for HIPAA compliance
Secure text messaging solutions exist for healthcare organizations to facilitate HIPAA compliant SMS texting for physicians, nurses, staff, and patients.
Secure text messaging solutions incorporate the technical controls necessary to ensure that ePHI remains safe from interception by unauthorized individuals during and after transmission.
Technical controls must include access, audit, integrity, and security controls to ensure HIPAA compliance.
- Access controls monitor who can access what within an enclosed network by governing login credentials, role-based permissions, and messaging procedures.
- Audit controls record when ePHI is created, accessed, transmitted, changed, or deleted.
- Integrity controls protect ePHI from being corrupted or tampered with.
- Security controls — such as end-to-end encryption — ensure that data is protected while in transit and data audit trails are recorded. If an employee loses their phone, data can be remotely erased.
The added benefits of HIPAA compliant messaging tools
HIPAA compliant SMS provides a variety of benefits to healthcare organizations — from more efficient patient care and new patient acquisition to flexibility in administrative and marketing.
A HIPAA compliant SMS texting platform incorporated with other HIPAA compliant tools such as live chat with omnichannel integration opens up even broader channel communicative abilities such as SMS-to-chat and social media messaging access.
CRM and database integration options give healthcare organizations analytical and organizational insights into business processes for data-driven improvements across the board.
Finally, today’s consumers prefer to communicate with their mobile phones — and patients aren’t any different. With a business SMS line, healthcare organizations can advertise an SMS number on websites, brochures, and new patient literature to reach broader markets, streamline patient scheduling, and increase patient convenience.
Learn more about Snapengage’s Healthengage suite of HIPAA compliant tools that provide secure, HIPAA compliant live chat, SMS messaging, and chatbots for optimal patient engagement and stay ahead of industry standards.
- HIPAA-compliant website chat with third-party certification of compliance
- HIPAA-compliant SMS messaging
- Contract requirements (including BAA and Downstream BAA options)
- Data security, encryption, audit logs, and more.