Secure Mobile Messaging in Healthcare: 4 Recommendations to Remain HIPAA Compliant

A research study, the State of Clinical Communication and Workflow in healthcare organizations, revealed that 51% of IT respondents planned to implement smartphones for clinical communications. This shows that secure mobile messaging is a priority for healthcare providers as they seek to improve patient care.

Email alerts that remind patients of an upcoming doctor’s appointment are useful reminders to prevent missed appointments. But the benefits of mobile messaging in healthcare extend far beyond this capability. 

Health industry professionals and IT professionals working in healthcare also overwhelmingly believe (90%) that a unified app that integrates communications with clinical workflows will achieve better clinical, financial, and operational outcomes. 

Mobile messaging can improve patient care through improved communications as well as allowing a care team to share information about a patient to improve collaboration.

But mobile messaging poses cybersecurity and privacy risks if not handled appropriately. One of the main compliance requirements for mobile messaging is HIPAA Privacy and Security compliance and that protected health information (PHI) must be secured. HIPAA compliance is not optional.

Is Text Messaging HIPAA Compliant?

Not always. Here’s why:

• SMS messaging isn’t secure and the data is vulnerable to unauthorized access in transmission.
• Messages on a wireless provider’s server aren’t encrypted.
• Messages can be deleted at any time by either the sender or receiver.
• Smartphones can be lost or stolen, increasing the risk of exposure of PHI on the device.

You cannot simply use your phone to text a patient a diagnosis or ask a colleague their opinion. 

However, the HIPAA Privacy Rule does not prohibit mobile messaging, though neither does HIPAA provide specific recommendations for protecting PHI sent via mobile messaging. 

As with any other technology used to store or transmit PHI, the HIPAA Security Rule provides a list of controls that will allow secure mobile messaging when followed: unique user identification, automatic logoff, encryption/decryption, auditing, integrity management, authentication, and transmission security. 

HIPAA-covered entities and business associates must apply these rules to be able to use mobile messaging securely. 

4 Recommendations for Secure Mobile Messaging in Healthcare

Healthcare providers want to be able to share patient information via mobile devices to improve patient care. How can a HIPAA-covered entity take advantage of mobile messaging and stay within the HIPAA rules? These four recommendations will get you started.

1. Conduct a risk analysis. Before implementing mobile messaging, assess the level of risk. Will users need more training to use the tools properly? Is the infrastructure robust enough to secure PHI? . 
2. Factors for a secure texting platform. There are five factors to check for in a secure mobile messaging solution:
1. Messages are encrypted in transit and at rest.
2. The platform requires recipient authentication.
3. Where does the data live? If it’s in a cloud platform, does it have secure hosting to archive and/or download sensitive content?
4. Are emergency recovery procedures (data backup, disaster recovery, etc.) in place?
5. If using a third-party provider, will the vendor sign a business associate agreement and commit to implementing administrative, technical and physical safeguards to protect any PHI that the vendor accesses? 
3. Audit trails and controls. Messages must have an audit trail to track who sent what data and when they sent it. Messages related to a patient should be stored as part of a patient’s health record. Document retention and disposal policies should be enforced as with any other record. 
4. Policies for phone loss. Whether the smartphone used is personal or provided by the company, policies must be in place to prevent a breach of PHI. This can include the ability to retrieve and/or delete data remotely, requiring two-factor and/or biometric authentication to access the device, and extensive security training for users.

Mobile Messaging Can Be HIPAA Compliant

Solutions for secure, HIPAA-compliant mobile messaging exist and can be found on the Internet. Regardless of whether you create your own system or use an existing one, your organization is responsible for your patients’ PHI. 

Conduct reasonable due diligence, follow these four recommendations, and continually evaluate your cybersecurity defenses and your organization will reap the benefits of mobile messaging.