Messaging apps have become the most common way for people to communicate. There are more messages sent than phone calls (more than 2 trillion messages were sent last year in the US). In fact, many choose to message rather than call for just about all types of communications. Messaging apps make it easy to send along attachments such as documents, pictures, and videos. Because of the pervasiveness and ease of use, it is very tempting to use messaging apps to send patient information to staff members within a practice. This would be a huge mistake.
Let’s go over the parts of the HIPAA regulations that relate to messaging. These are:
Nearly all messaging apps fail on all, or most, of these points. SMS, in its standard form, is completely unusable for PHI. The data isn’t encrypted and is easy to intercept along the way. In addition, sending messages to the wrong person is a real danger and if that data isn’t encrypted, then you have sent PHI to an unauthorized party. This is similar to leaving a message on voicemail for someone with PHI and finding out it is the wrong number.
Generally, there are two scenarios for using messaging apps with PHI. These are messaging patients and internal practice communications.
If your practice wants to send messages to patients, then you must use a system that is set up to be HIPAA compliant. Each message sent through a non-compliant system is a violation on its own. Normal SMS, WhatsApp, Facebook Messanger, etc. are not compliant and cannot be used. After setting up a compliant messaging system, you also must get each patient’s permission, in writing, to message them via the system.
Internal communications are a more common use of messaging apps in healthcare. This is possible through a variety of services, but just like with email, you must have a Business Associate Agreement in place with the service provider.