The simple answer is, “Yes, unless the practice has put in place a secure messaging service that is HIPAA compliant.”
HIPAA does not specifically address text, email or any other new communication channel, such as chat apps. That was an intentional decision due to the speed of technological developments. However, it does mandates that dentists and other healthcare providers must keep records on how they store their electronic Protected Health Information (ePHI) and how it is transmitted. There must also be clear records of who has access to these records and how they are accessed.
Text is a form of SMS (short message service), and most SMS systems are not HIPAA compliant. HIPAA stipulates that:
- No matter what the communication channel, each authorized user must have a login name and PIN that is unique. Communications must be monitored and logged by the practice.
- The communications channel must have an automatic logoff function to prevent accidental access to ePHI by unauthorized users.
- All communications must be encrypted during transit so that they could not be read if the user is connected to the internet through a public Wi-Fi network.
The Size of the Problem
Out of ignorance or willful negligence, many healthcare professionals have violated HIPAA regulations on a regular basis. A recent study of physicians found that:
- 60 percent had sent work-related texts and 61 percent had received them.
- 46 percent said that they had concerns about texting and patient privacy laws.
- 30 percent said that they had received protected ePHI via text.
- 12 percent had either received or sent texts more than 10 times during a shift.
The last statistic may be the most alarming because fines and criminal charges can be filed for each individual text.
Risks of Violating HIPAA by Text
The size of the fine or further legal action depends on whether the use of text for ePHI consisted of “willful negligence” and how the dental practice responded. Willful neglect or negligence is defined by HIPAA as “conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated.”
If a medical practice violates HIPAA laws due to willful neglect but takes actions to correct the situation within a specified time, the fine range from $10,000 per occurrence to a maximum of $250,000 per year. If the practice does not take actions within that time, the fine will range from $50,000 per occurrence to a maximum of $1.5 million per year. The U.S. Department of Justice (DOJ) also concluded that individuals who knowingly disclose ePHI can be held criminally liable and subject to prison terms.
How Texting Can Be Secure
Recently, HIPAA compliant SMS apps like TigerText have been built to handle these specialized communications needs. The security on this type of system makes it possible to use SMS to share information with other dentists, healthcare professionals, health insurance representatives, employers with HIPAA-covered healthcare plans, and third party healthcare service providers.
Another HIPAA compliant text application designed especially for dentists is Awrel. Arnold Rosen, DDS and CEO of Awrel, explained why texting patient information has been common in specialty practices like dentistry. “There’s a huge amount of collaboration. The majority of it happens on cellphones.”
The most important takeaway is that texting is not a secure channel as a general rule. However, under some very special circumstances, dentist may send texts to patients or other dentists. Contact your professional legal representative for guidance in these gray areas.
Contact our dental focused team at Goldin Peiser & Peiser for further information on ways to help your dental practice grow and thrive in this competitive market.
Note: This content is accurate as of the date published above and is subject to change. Please seek professional advice before acting on any matter contained in this article.
The post Does Texting Violate HIPAA Regulations? appeared first on GPP Dental.