Does HIPAA Permit Texting Patients? – Part 1

The longer answer requires understanding 1) the content of the communication and whether it is Protected Health Information (PHI), 2) The technical protocol used for transmission of the text, 3) Whether any intermediaries are involved in transmitting the message and if there is a HIPAA Business Associate Agreement in place with them, 4) What type of authentication (e.g. password or biometric) is used to access the physician’s phone,  5) What kind of audit trails are maintained, and 6) Is the information used or transmitted anywhere else.

1. It’s necessary to understand  what is in the message and whether it is Protected Health Information (PHI).  PHI is “individually identifiable information relating to the past, present, or future health status, health care, or payment for health care of a person.”  Most experts would agree that a discussion between two parties that includes the mobile phone numbers of both participants (doctor and patient) with a clinical discussion is in fact PHI.
2. A text message sent with an iPhone is sent one of two ways.  If the recipient also has an iPhone, the message is routed through Apple’s iMessage service.  It is likely that iMessage is fully encrypted and meets HIPAA requirements.  On the other hand, if the recipient uses an Android or other device, the message is routed through the cellular carrier’s SMS or MMS service. The SMS and MMS services are not guaranteed to be encrypted, end-to-end, per HIPAA requirements.
3. Understanding intermediaries, which include the cell phone carriers, and in the case of iPhone to iPhone communications, Apple.  Cell phone carriers, due to a special exemption in the HIPAA regulations, are NOT HIPAA Business Associates.  Apple, however, as an intermediary involved in handling the data transfer, is a HIPAA Business Associate.  Apple’s current practice is not to sign a HIPAA Business Associate Agreement with iPhone users.  For users of IOS version 13, the End User License Agreement states “You agree to use the Apple Software and the Services . . . in compliance with all applicable laws, including local laws of the country or region in which you reside. . .”  Since HIPAA requires that you execute a HIPAA Business Associate Agreement with any Business Associate, and since Apple won’t sign such agreement, you are agreeing that you will not use the iPhone or its services to transmit PHI.
4. Apple phones can be configured to turn on without any authentication.  They also include multiple ways to authenticate, including passcodes, TouchID, and FaceID.  HIPAA requires that one of these methods be used, and if passcodes are used, that they be of an appropriate length.
5. iPhones maintain a record of texts, but the user can delete these at will.  So they are of limited value as an audit trail, which is required by HIPAA.
6. Other third parties – there is an additional Apple service — backup of the iPhone to the iCloud service – would store a copy of any text message.  HIPAA requires that the physician have a HIPAA Business Associate Agreement with any company providing such a service, and as we just discussed, Apple does not sign these agreements and the end-user has agreed that it won’t use the service for any purpose that is not legal.

So, we see that HIPAA has quite a few requirements regarding handling of electronic data, and texting, as commonplace as it has become, requires quite a few considerations.  Assuming that we agree that the message is PHI, the iPhone may not be used for texting due to problems with #2 (in the case of texting to Android users) and in all cases with #3.  While one could always disable backup to iCloud and avoid violating #6, the backup is a great feature that you shouldn’t disable.

The analysis for video conferences with FaceTime can be done, with some different results.  However, item #3 is the same, and the failure to have Apple under a HIPAA Business Associate Agreement is sufficient to disqualify the use of FaceTime for communications between a doctor and the patient.

What is the solution?  Check back for Part 2, which includes a review of some commercial services, which meet all HIPAA requirements, and therefore allow the use of texting and telemedicine between patients and doctors.