Is SMS Texting HIPAA Compliant?

SMS texting makes it easy and convenient for physicians and healthcare staff to communicate. It also drives patient engagement and improves operational and administrative efficiencies. But how safe is it? Is SMS texting HIPAA compliant? 

HIPAA rules don’t explicitly mention SMS text messaging. But HIPAA Covered Entities (CE) and Business Associates (BA) must command technical control over any form of communication, such as email and messaging, involving electronic Protected Health Information (ePHI)  — and that includes SMS texting. 

For example, SMS texts are always in violation of HIPAA Rules if they contain any ePHI without the patient’s permission. Beyond that, SMS texting is not HIPAA compliant because it isn’t encrypted.

 

Healthcare organizations must maintain technical control 

 

ePHI that is transmitted outside of technical control, such as a firewall, has to be protected by encryption to NIST standards. Technical control must not only allow patients to access their ePHI, but must also ensure the confidentiality and integrity of the ePHI at all times.  

Device control can also be a problem. If a sender or receiver of an SMS text message containing ePHI loses their device, they lose technical control. And, of course, SMS texts can be accidentally sent to the wrong person.

HIPAA penalties are steep — $50k per violation per day, up to $1.5M per year. The only way for Covered Entities and Business Associates to take advantage of the benefits of SMS texting and avoid violating HIPAA rules is to adopt a secure text messaging solution.

 

Secure SMS text messaging solutions for HIPAA compliance

 

Secure text messaging solutions exist for healthcare organizations to facilitate HIPAA compliant SMS texting for physicians, nurses, staff, and patients. 

Secure text messaging solutions incorporate the technical controls necessary to ensure that ePHI remains safe from interception by unauthorized individuals during and after transmission.

Technical controls must include access, audit, integrity, and security controls to ensure HIPAA compliance.

  • Access controls monitor who can access what within an enclosed network by governing login credentials, role-based permissions, and messaging procedures. 
  • Audit controls record when ePHI is created, accessed, transmitted, changed, or deleted. 
  • Integrity controls protect ePHI from being corrupted or tampered with.
  • Security controls — such as end-to-end encryption — ensure that data is protected while in transit and data audit trails are recorded. If an employee loses their phone, data can be remotely erased.

 

The added benefits of HIPAA compliant messaging tools

 

HIPAA compliant SMS provides a variety of benefits to healthcare organizations — from more efficient patient care and new patient acquisition to flexibility in administrative and marketing. 

A HIPAA compliant SMS texting platform incorporated with other HIPAA compliant tools such as live chat with omnichannel integration opens up even broader channel communicative abilities such as SMS-to-chat and social media messaging access.

CRM and database integration options give healthcare organizations analytical and organizational insights into business processes for data-driven improvements across the board. 

Finally, today’s consumers prefer to communicate with their mobile phones — and patients aren’t any different. With a business SMS line, healthcare organizations can advertise an SMS number on websites, brochures, and new patient literature to reach broader markets, streamline patient scheduling, and increase patient convenience. 

Learn more about Snapengage’s Healthengage suite of HIPAA compliant tools that provide secure, HIPAA compliant live chat, SMS messaging, and chatbots for optimal patient engagement and stay ahead of industry standards. 

  • HIPAA-compliant website chat with third-party certification of compliance
  • HIPAA-compliant SMS messaging
  • Contract requirements (including BAA and Downstream BAA options)
  • Data security, encryption, audit logs, and more.
Sign up to receive our latest research, updates and success stories.

Recent Posts

Blog Categories

Introduction to our New Security Settings

Nothing can bring a real sense of security except true love. We do love you, for sure, but in a world of complex threats we want to, tangibly, offer you a secure service as well.

That is why we’re proudly introducing our new Security Settings!

Our conscious developers’ team has been working during the past few weeks on a series of configurable settings that will protect you more effectively against any malicious hacking and mischiefs. As the account owner, you – and only you- will now have actual control on the security of your SnapEngage account.

*The new security settings are available on premier, unlimited and enterprise accounts.


Password Rules

The security of your team’s passwords is by all means imperative for the overall security of your account. You are, now, able to choose among and combine a series of password requirements that will add up to the password complexity and increase the difficulty of password cracking.

Being safe is good but being paranoid with safety could drive your team crazy since every time you increase the requirements of your passwords all your users passwords will be expired. For your users’ sake, keep this to a minimum!

1st

Password Complexity

Your password complexity can be based on four different elements; namely  length, mIxed caSE LetTers, special characters! and user information. 

Length

Each added character in your password increases exponentially the time it would theoretically take for it to be cracked. ‘alongerpassword’ would be harder to crack than ‘password’. Thus, you can require your users to set their password using a certain number of characters.

Require letters in mix case

By requiring your users to combine both upper case and lower case characters also improves the password strength. In such a case ‘notsafepassword’ would not be accepted but a ‘safePassword’ would have to be used instead.

Require at least one special character

Can question marks strengthen your password? Yes they can!!! Exactly as exclamation marks can also do. So, require your users to include at least one special character (non-alphabetic and non-numeric) in their passwords and instead of having a ‘notsafepassword’ to create a ‘safepassword!’ or a ‘safe+password’. With so many special characters one can be quite creative 😉 .

Password cannot contain user information

If someone tries to guess your password, it is more likely than not that they will also try to get information from your users login. This is common practice for hackers because it is also a common for users to include elements from their login in their passwords in order to, more easily, remember them. That is why you should make sure that your users are not using parts of their login information in their password. Thus, if you log in your SnapEngage account with the email: [email protected], you  would not be allowed to use neither ‘name’ nor ‘surname’ in your password.

Password Handling

Besides the password complexity per se, there are more tools at your disposal which can increase your account’s safety, the first one of them being the password originality.

Require password originality and forbid password reuse

Why prohibit password reuse? -Because of risk mitigation and human psychology.

Imagine that you become aware of a password leak in your administration. The first and easiest thing to do, would be to ask your account owner to reset all user passwords. Nevertheless, we, humans, tend to be wary of changing our passwords. Many of us would actually decide to just  set our old password as our new one again; this however, would render the safety action of resetting all passwords useless. To make sure this does not happen, you can disallow password reuse when a user renews their password.

You have the option to either not allow any password that has been used during the last 1, 6 or 12 months or any of the 5-8 most recently used passwords.

2nd

*If the two password settings get compared, we would consider the ‘x last passwords’ option more secure than ‘passwords in the last x months’.

Password expires automatically

By using this option you obligate your users to renew their password on a recurring basis (every 1,3,6 or 12 months).

Lock account after a number of failed login attempts

We are no robots and same applies for you and your colleagues. As humans, we all make mistakes and we are entitled to forgetting one of the many passwords that we are required to use in our everyday life. Many of us use multiple email accounts – personal and professional – Facebook, twitter and other social media, credit cards etc.These are many passwords and pins that we need to remember.

Nevertheless, many failed attempts to log in an account could also mean that somebody is trying to hack it. Thus, after a certain amount of failed attempts you can have an account locked which will then be unlocked again after a certain amount of time (except if specifically required to be locked permanently) or manually from the admin dashboard.


Access Rules

To, even further, protect your account, you can allow restricted access to SnapEngage based on IP addresses. You can either give specific IP addresses or use wildcards.

6th

For more details on the Access rules please click here.

Deactivate an agent’s account due to inactivity

Automatically deactivating an agent’s account if they haven’t logged in for a set amount of time is another additional safety measure that you can decide to use.

 

Whatever the settings that you decide to use are, please remember that the basic rule is to always play it safe. It might get a bit uncomfortable at some point but it can save you from a lot of trouble later.

 

 

Use Salesforce Solutions for your knowledgebase

Salesforce Solutions allows you to create articles to help answer common problems. By connecting your Solutions articles to SnapEngage you will be able to search these articles to quickly answer your customers questions from within the SnapEngage chat portal.

To set everything up please follow these steps:

Make sure that you have the Salesforce integration connected. You can check this by going to the “Integrations” tab in the admin dashboard where you should see this screen:

Screen Shot 2014-06-12 at 5.39.03 PM

Look for the green “Connected” message. If it’s present, proceed by clicking on “Knowledgebases” tab then click on the Salesforce icon. If you see a red “Not Connected” message please follow these steps.

Screen Shot 2014-06-11 at 5.45.13 PM

Next, click on the “Save” button:

Screen Shot 2014-06-11 at 5.45.19 PM

After that, create a Solution in Salesforce if you don’t have one already:

Screen Shot 2014-06-12 at 5.40.00 PM

Make sure that the Solution is set to reviewed, we will not list any drafts.

Screen Shot 2014-06-12 at 5.40.54 PM

Now, whenever you get stuck, you can search your Solutions in the chat portal knowledgebase for the answer:

Screen Shot 2014-06-12 at 5.54.35 PM

Good luck chatting!

SnapEngage Chat, Now Live in the SAP Store

We are very pleased to announce our newest integration with SAP and specifically the SAP Business ByDesign CRM. For those of you unfamiliar with SAP Business ByDesign and the SAP family of “Line of Business” applications, feel free to pop on over to the SAP Insider to learn more: “End-to-End Business Processes in the Cloud – A Tour of Today’sBusiness ByDesign” for some background that explains the solution.

Current SAP Business ByDesign customers can subscribe to SnapEngage from the SAP Store.  Configuring the integration is easily done by logging  into your account and heading right over to the Set Destination Tab, then click on the SAP logo. Once you input your credentials you will be all set to start sending your chats directly to ByDesign as well as knowing more about your visitor when they come to chat with you.

As always we love to hear from you, please leave any comments or questions below or hit us up on chat. We are super excited to be the first cloud App from Google App Engine available for licensing  on the SAP Store.