As IT professionals working in the healthcare sector, this raises a number of important questions: If this is the case, how does texting work in regard to HIPAA—Is it a violation to send a text message to a covered entity? Is it a violation to receive a text message from a covered entity? Can patients communicate with the covered entity by text if desired?
Unfortunately, there is no simple yes or no answer to these questions. Performing a mobile device risk analysis is your starting point. If you are not ready (or capable) to do this, you will never be able to answer this question with any confidence. According to the Department of Health and Human Services, the answer depends on whether the communication is encrypted using a third-party messaging solution as well as the results of your mobile device risk assessment.
A mobile device risk assessment needs to be undertaken for all the covered entities network(s) to understand what is at stake. If you want to know where to start, here are five steps the Government recommends you need to take to perform a full mobile device risk assessment:
This link offers more detailed insight to help you in further understanding, deciding, identifying, assessing, developing, documenting, implementing, and finally, training providers and health professionals in the proper way to use and protect these devices.
If you want to do any further reading around this topic, a great starting point is this link about mobile devices (computers) and HIPAA [Federal Register volume 78 No.17 Final Rule 164.524 (c)(3)].
Jeff Hardee is U.S. ServiceDesk Sales Engineer at SolarWinds MSP.
© 2017 SolarWinds MSP UK Ltd. All rights reserved.