Page 10 - 2021 Risk Reduction Series - Communication Part Two
P. 10
SVMIC Risk Reduction Series: Communication
place certain safeguards. Depending on the content of the
text message, who the text message is being sent to, or the
mechanisms put in place to ensure the integrity of the ePHI,
texting can be in compliance with HIPAA in certain limited
circumstances.
Messages can be sent by text, provided that the content of
the message does not include personal identifiers and that
the message complies with the minimum necessary standard.
The technical safeguards of the HIPAA Security Rule require
access controls, audit controls, integrity controls, methods for
ID authentication, and transmission security mechanisms when
PHI is being transmitted via text. Among these requirements are
the following:
• Access to PHI must be limited to authorized users who
require the information to do their jobs.
• A system must be implemented to monitor the activity
of authorized users when accessing PHI, and those
with authorization to access PHI must authenticate
their identities with a unique, centrally issued username
and personal identification number (PIN). Policies and
procedures must be introduced to prevent PHI from being
inappropriately altered or destroyed.
• Data transmitted beyond an organization’s internal
firewall should be encrypted to make it inaccessible if it is
intercepted in transit.
SMS and IM text messages (the types commonly used by
most everyone today) often fail on all these counts. Senders
of SMS and IM text messages have no control over the final
destination of their messages. They could be sent to the wrong
Page 10
