The Security Rule (45 CFR Part 160 and Part 164, Subparts A and C) requires Covered Entities (includes mental health practitioners) to evaluate the risks posted to any EPHI (electronic protected health information) that is transmitted or stored. Is texting in violation of HIPAA? The Privacy and Security Rules are complex; these rules do not mention texting as such, but they do include certain conditions that apply to electronic communications in the healthcare industry.
It is okay for a practitioner to send text messages to a patient, provided that the message complies with the “minimum necessary standard”. It is also okay to send messages by text when the mechanisms are in place to comply with the technical safeguards of the HIPAA Security Rule – such as an app for secure messaging. As a reminder - PHI can be: electronic
, written, spoken or heard.
PHI includes anything that can be used to identify a patient, as well as actual health information (e.g. diagnosis codes) and insurance and billing information. PHI includes but is not limited to a Patient’s:
- name
- address
- employer
- relatives’ names
- date of birth
- telephone number
- email address
- Social Security number
- Medical record number
- Member or account number
- Fingerprints, photo
- Characteristics (eg. job) – that could identify someone
If you are texting appointment reminders to clients you've opened the door for returned communication. Clients may assume you'll be available 24/7 for emergencies. Does your practice have communication guidelines established so that clients understand how and when to contact you in the event of an emergency. Ensure your practice is in compliance with this HIPAA standard; protect your practice by using a secure messaging app. For additional information go to www.HHS.gov search for Health Information Privacy.
|