As IT professionals working in the healthcare sector, this raises a number of important questions: If this is the case, how does texting work in regard to HIPAA—Is it a violation to send a text message to a covered entity? Is it a violation to receive a text message from a covered entity? Can patients communicate with the covered entity by text if desired?
Unfortunately, there is no simple yes or no answer to these questions. Performing a mobile device risk analysis is your starting point. If you are not ready (or capable) to do this, you will never be able to answer this question with any confidence. According to the Department of Health and Human Services, the answer depends on whether the communication is encrypted using a third-party messaging solution as well as the results of your mobile device risk assessment.
Performing a mobile device risk assessment
A mobile device risk assessment needs to be undertaken for all the covered entities network(s) to understand what is at stake. If you want to know where to start, here are five steps the Government recommends you need to take to perform a full mobile device risk assessment:
- Decide: Decide whether mobile devices will be able to access, receive, transmit, or store ePHI.
- Assess: Conduct a risk analysis to identify threats, and vulnerabilities. This analysis can be performed by and individual or by an organization.
- Identify: Identify and implement a risk management strategy to reduce the risks that were identified in your risk analysis. This will include regularly scheduled evaluations of the strategy to ensure that it is reducing the risk and safeguarding the organization from being out of compliance.
- Develop, Document, and Implement: Continue to develop and document your risk management strategy. Once developed and documented, be sure to properly implement the strategy.
- Train: Conduct mobile device privacy and security awareness plus regularly scheduled training with providers and professionals.
Further reading on mobile device compliance for HIPAA
This link offers more detailed insight to help you in further understanding, deciding, identifying, assessing, developing, documenting, implementing, and finally, training providers and health professionals in the proper way to use and protect these devices.
If you want to do any further reading around this topic, a great starting point is this link about mobile devices (computers) and HIPAA [Federal Register volume 78 No.17 Final Rule 164.524 (c)(3)].