Using SMS and texting in a HIPAA compliant way takes both knowledge and documentation. While HIPAA compliance is not required for every center, many choose to be under the rules that HIPAA requires (see below for details). Whether you are required to be under HIPAA (or a similar state law) or are choosing to be, make sure you and your texting provider are following HIPAA in these five required areas:
1. Systems Matter: To be HIPAA compliant, your texting provider AND their backend provider must be HIPAA compliant. In addition, you need a BAA (business associate agreement) with your provider and your provider must have a HIPAA agreement with their back-end provider. Put in real terms, to be HIPAA compliant, you need to have a BAA with BrightCourse (you can request that here) and BrightCourse needs to have a BAA with Twilio (our backend provider). In our case, we pay Twilio $1000 per month to be HIPAA compliant in their technology and maintain that necessary BAA. If you use any other texting provider, make sure they have a BAA with their backend systems (like Twilio) or your texts will not be HIPAA compliant during transmission.
2. Back-ends Matter: US Department of Health and Human Services (HHS) has made it clear through multiple cases that, even though the client can receive protected health information (PHI) in insecure methods (texting/email), the communications and systems used by the provider must be secure and compliant when dealing with PHI. All communications about clients must be on a secure system and communications with clients can only be insecure on their side and only if you follow the behavior rules (below). All texts sent via BrightCourse are secure in storage and transmission but the lack of control on the client's phone requires additional steps (see below) to be completed first. These steps do NOT apply to co-workers or partners as your internal communications about clients must always remain on secure systems. Simply put, NEVER use SMS or email to discuss a client with a co-worker or outside entity.
3. Behavior Matters: HIPAA compliance with texting is not just technology, it is behavior. If you are under HIPAA, you may not send an SMS with PHI to a client unless:
- the client requests it in that format
- the client is notified of the risks of insecure communications
- the notification and request are documented
BrightCourse allows these three requirements to be completed easily and quickly. If you have a BAA with BrightCourse, you will not be allowed to text with a client until they give consent and agree to have the conversation using SMS. The disclaimer and request for their approval is automatically sent the first time you try to send a message and they must reply in the affirmative to allow the conversation to continue. If you do not see this in your BrightCourse account, you may not have an active BAA with us - you can request that here.
4. Storage Matters: Your client’s data must be stored in a way that it is encrypted at rest. BrightCourse doubles down on this. Your client’s data is encrypted at the database and record level and in the content level. Another way of saying it, all conversations with your clients are double encrypted which is beyond the security required by HHS.
5. Documentation Matters: Finally, if you are HIPAA compliant, you should have a very thick folder (or a very big online folder) documenting your many procedures like disk destruction, access control to your facilities, and required screen savers with passwords. Your providers should have the same. Here at BrightCourse, we have built out all of these policies and have monthly meetings with our HIPAA compliance team to ensure we are keeping up on what is required to be HIPAA compliant. Don't short cut the documentation part of the process as it is a major requirement of compliance.
A look at the HIPAA Rules
HIPAA compliance is a big concern for medical clinics and understandably so. Before working through the concerns of HIPAA, the first thing to ask is if the law applies to your location. Most social service programs are NOT regulated entities under the HIPAA law. Only a few of our customers become "covered entities" due to their accepting insurance payments for medical services provided to clients. Nine out of ten of our customers are not covered under HIPAA and have no obligation to follow the regulations. In some states, there are medical privacy laws in addition to HIPAA, though they are often less stringent than HIPAA itself. We aim to be HIPAA compliant so that our systems are secure and safe. If you are not covered under HIPAA or a state law, you can use all of our systems knowing that we still treat your client's privacy with the highest level of care whether it is being transmitted securely or encrypted at rest. You can read more about which entities are covered here.
If you are one of the few customers on our systems covered by HIPAA, then you will want to request a BAA agreement so that you are complying with HIPAA. In addition, you will need to limit access to our services to only approved internal users and no shared accounts. Most of the data generated is not PHI, but we have added communications systems that may include PHI depending on how it is used. The good news is that many types of communication are still legal and usable if you follow the guidelines published by HHS. The 2013 Omnibus Ruling by HHS provided a simple pathway for using unencrypted emails for communicating PHI. The requirements are 1) warning patients that email is not secure 2) gaining the patients’ authorization, and 3) documenting the patients’ consent. When asked if this also applied to texting, Roger Severino, Director of the US Department of Health and Human Services Office for Civil Rights (OCR), the HIPAA enforcement agency, said that it did apply for SMS between providers and clients.
In short, unsecured texting and email can be HIPAA compliant for PHI as long as you follow 1) notification, agreement, and documentation steps 2) you are texting and emailing on HIPAA compliant system and 3) all inter-system back-end communications (between providers) are HIPAA compliant. We have all three of these built into our system..
Right of Access by Client
What has recently emerged and played a larger role in HIPAA policy is the right of the client to access their medical records. The email ruling (see below for exact text) was made for the express purpose of giving easy access for the client to access their own information. HHS found that covered entities needed to provide easy access to their PHI and could do so over common channels if the client was informed of the risks and they agreed. This is the exact reasoning that Serverina gave for equating SMS with email, "I think it’s empowering the patient, making sure that their data is as accessible as possible in the way they want to receive it, and that’s what we want to do." In fact, the HHS Office of Civil Rights is the enforcement agency for HIPAA because the government sees the issue of both privacy and access as a civil right.
PHI and Messaging
Any message that includes Protected Health Information (PHI), including test results, treatment information, or billing information, is covered under HIPAA (if you are a covered entity). While most of the data created by this service is not PHI, we do have a number of features that may include PHI depending upon the input by users. These systems include our client notes system and our communications system.
Client Notes System: Because users are entering data, notes may be considered PHI depending on what content is added. Notes are encrypted to your organization both in transit and while stored at rest. They are not readable by other organizations. Notes also have a logging systems with a historical archiving. The notes are secure and can be used in a HIPAA compliant way.
Client Communication System: Texting a client or having a video chat with them is very convenient but it can include PHI (if inputted by either party). Following the 2013 Omnibus Ruling guidelines, we require disclosure of the risk, agreement by the patient, and we document that agreement. While we recommend that you include that disclosure and require agreement on your intake form, we still will require it before you send free-form texts to a client.
In short, we have built a system that can be HIPAA compliant for those entities under the HIPAA regulations. While most of our customers are not under that law in their communications, the few that are can use our system in a HIPAA compliant way.
In the Words of HHS
The email exemption that Roger Severino, Director of the US Department of Health and Human Services Office for Civil Rights (OCR), the HIPAA enforcement agency, equated with SMS: "We clarify that covered entities are permitted to send individuals unencrypted emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email. We...expect the covered entity to notify the individual that there may be some level of risk that the information in the email could be read by a third party. If individuals are notified of the risks and still prefer unencrypted email, the individual has the right to receive protected health information in that way, and covered entities are not responsible for unauthorized access of protected health information while in transmission to the individual based on the individual’s request. Further, covered entities are not responsible for safeguarding information once delivered to the individual." 2013 Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules, Final Rule, page 70 https://www.govinfo.gov/content/pkg/FR-2013-01-25/pdf/2013-01073.pdf
PLEASE NOTE: While we have read over both the law and the HHS interpretations of the law, we are not experts in this matter. You should consult a qualified legal expert for all matters pertaining to any action covered by the law.