The researchers — from the Seattle & King County Department of Public Health — wrote that they are not aware of case law or HHS guidance addressing whether text messages are subject to the HIPAA Security Rule. However, they wrote that a text message “arguably is within the [HIPAA] definition of electronic media because it involves data that exist in electronic form prior to transmission” (Slabodkin, FierceMobileHealthcare, 2/25).Details of Report
In a case study, the researchers examined two approaches for using text messages to send reminders to lower-income parents whose children needed a follow-up influenza shot.
They determined that planned messages that included the child’s name and a reference to a “second flu shot” contained patient health data as defined by HIPAA, specifically the patient’s name and the implication that the child already had received a flu shot.
The first text messaging approach developed for the case study eliminated the patient’s name and made the language more generic.
The second approach sought to meet HIPAA standards while still including the information by requiring recipients to sign a security waiver at the time they signed up for the text message reminders (Comstock, MobiHealthNews, 2/20).
However, the researchers determined that “no communication method is 100% secure, and text messaging is no different.” They concluded that sending messages containing personal health data is a policy decision that must be made by decisionmakers at each health system.Recommendations
The researchers wrote, “We recommend that the federal government take steps now to clarify how health departments can reasonably use text messaging to send protected health information.”
They added, “Until guidance is available and regulations are better defined, many health departments will lose the opportunity to use the technology in the most effective way” (FierceMobileHealthcare, 2/25).