Text Messaging - Is It HIPAA secure?

  • August 6, 2014
  • Allan Ridings

Text messages use industry standard protocols that use land lines/digital subscriber lines (DSL), cable networks, fiber optic, or mobile phones to exchange short text messages. Short Message Service (SMS) is the most widely used text messaging system in the U.S. SMS messaging services that are also components of a telephone, a telephone network, the internet, or a mobile telecommunication system offer conveniences; however, they present some risks as well. 

The majority of SMS messages are delivered as mobile phone-to-mobile phone messages; however, these benefits have expanded to include other electronic technologies:  

On-Demand Webinar: Key Strategies for Ensuring a Profitable Independent Practice
During this one-hour program, practice management expert Debra Phairas discusses how various business models and operational enhancements can increase revenue to help your practice remain successful in today’s competitive marketplace.
Watch Now
  • E-mail-to-mobile phone number
  • Mobile number-to-an e-mail address
  • Phone number-to-alpha numeric pager
  • E-mail-to-alpha numeric pager

For example, a mobile phone user whose mobile telephone phone number is 213-555-1212 could send and receive e-mails addressed to and from 2135551212@txt.xyz.co.uk as text messages.

There are some restrictions that apply to this type of messaging. Only the first 160 characters of the e-mail message will be sent to a mobile phone, and only 160 characters can be sent from a mobile phone to an e-mail user. 

As SMS services use the public telephone network and equipment unless encrypted, they are not HIPAA secure. Many SMS services on the market tender their encryption safeguards and HIPAA secure environments. However, a thorough investigation and understanding of these services prior to any contracting is a must. Also, remember that the text data is never gone! This data (text message) -- even if encrypted -- is either stored on the telecom service servers, on your mobile phone in the Subscriber Identity Module (SIM) card, or both. 

A covered entity must be in accordance with §164.306 and must implement a mechanism to encrypt and decrypt electronic protected health information (45 CFR § 164.312(a) (2) (iv)). And implement the Advanced Encryption Standard (AES) encryption protocol system with either 128-bit or 256-bit encryption.

  

Authored by  
Allan Ridings
Senior Risk Management & Patient Safety Specialist

 

If you have questions about this article, please contact us. This information should not be considered legal advice applicable to a specific situation. Legal guidance for individual matters should be obtained from a retained attorney.