Using SMS and texting in a HIPAA compliant way takes both knowledge and documentation. While HIPAA compliance is not required for every center, many choose to be under the rules that HIPAA requires. Whether you are required to be under HIPAA (or a similar state law) or are choosing to be, make sure you and your texting provider are following HIPAA in these five required areas:
1. Systems Matter: To be HIPAA compliant, your texting provider AND their backend provider must be HIPAA compliant. In addition, you need a BAA (business associate agreement) with your provider and your provider must have a HIPAA agreement with their back-end provider. Put in real terms, to be HIPAA compliant, you need to have a BAA with HopeSync (you can request that here) and HopeSync needs to have a BAA with Twilio (our backend provider). In our case, we pay Twilio $1000 per month to be HIPAA compliant in their technology and maintain that necessary BAA. If you use any other texting provider, make sure they have a BAA with their backend systems (like Twilio) or your texts will not be HIPAA compliant during transmission.
2. Back-ends Matter: US Department of Health and Human Services (HHS) has made it clear through multiple cases that, even though the client can receive protected health information (PHI) in insecure methods (texting/email), the communications and systems used by the provider must be secure and compliant when dealing with PHI. All communications about clients must be on a secure system and communications with clients can only be insecure on their side and only if you follow the behavior rules (below). All texts sent via HopeSync are secure in storage and transmission but the lack of control on the client's phone requires additional steps (see below) to be completed first. These steps do NOT apply to co-workers or partners as your internal communications about clients must always remain on secure systems. Simply put, NEVER use SMS or email to discuss a client with a co-worker or outside entity. Only use secure means of data transmission such as client notes and tags inside of HopeSync.
3. Behavior Matters: HIPAA compliance with texting is not just technology, it is behavior. If you are under HIPAA, you may not send an SMS with PHI to a client unless:
- the client requests it in that format
- the client is notified of the risks of insecure communications
- the notification and request are documented
HopeSync allows these three requirements to be completed easily and quickly. First, by texting in, the client is requesting information to be sent via text. Second, the disclaimer is immediately sent back to the client when they text in for the first time (or the first time in a while). Third, this is all documented inside of HopeSync. If you START a conversation with a client in HopeSync, ensure you have already received permission and documented their agreement to continue the conversation via text. You can do this on your intake form or verbally but it must be documented. If you have not done so, then do not send any PHI in the conversation until you obtain their permission and agreement before you do.
4. Storage Matters: Your client’s data must be stored in a way that it is encrypted at rest. HopeSync doubles down on this. Your client’s data is encrypted at the database and record level and in the content level. Another way of saying it, all conversations with your clients are double encrypted which is beyond the security required by HHS.
5. Documentation Matters: Finally, if you are HIPAA compliant, you should have a very thick folder (or a very big online folder) documenting your many procedures like disk destruction, access control to your facilities, and required screen savers with passwords. Your providers should have the same. Here at HopeSync, we have built out all of these policies and have monthly meetings with our HIPAA compliance team to ensure we are keeping up on what is required to be HIPAA compliant. Don't short cut the documentation part of the process as it is a major requirement of compliance.
HIPAA compliance is a complex topic and understanding SMS and HIPAA is important for client communications. If your center falls under HIPAA or is choosing to be under HIPAA, ensure that your SMS providers are HIPAA compliant. HopeSync has done the work to have true HIPAA compliance and we hope whomever you choose will work equally as hard to protect your client’s data.