Health Information Management

Q&A: Text messaging

HIM-HIPAA Insider, April 6, 2009

Q. We have quite a few doctors dumping their answering service and going to a text messaging environment. Most use the same mobile service provider and want us to send text messages including patient PHI when we need to contact them. The mobile vendor’s text site is encrypted, but it is unclear whether the transmission to the pager is. Is this a violation of the HIPAA rules?

A. It is likely a violation of the HIPAA security rule’s implementation specification regarding encryption of PHI transmissions. Even though the rule identifies encryption as an addressable implementation specification, a covered entity would be hard pressed to justify transmitting PHI unencrypted, given the improvements in encryption technology and the significant reduction in cost since the rule’s finalization five years ago.

Even if the mobile carrier offers secure text messaging within its network, if the text message is sent through another carrier, sent unencrypted to pagers, or is sent using the mobile carrier’s roaming services (in essence, cell towers that are owned by another carrier), there is a risk the text message can be intercepted.

There are at least a few solutions on the market that would support secure communication to and between mobile devices, but the solutions require the installation of the encryption on all mobile devices that will send and receive PHI.

These solutions will not provide protections for PHI transmitted to pagers—only mobile phones.

Editor's note: Chris Apgar, president of Portland, OR-based Apgar & Associates, LLC, answered this question. This is not legal advice. Consult your attorney regarding legal matters.

Most Popular