The New HIPAA Rule: The Ticking Time-Bomb of Unsecured Text Messaging

On Sept. 23, the final HIPAA privacy and security rule went into effect. HHS raised the bar to protect patient privacy, and hospitals can expect greater HIPAA compliance scrutiny. One type of communication that is expected to come under the microscope is unsecured texting of protected health information.

Close to 90 percent of physicians use smartphones in the workplace, and, despite the best efforts of hospital executives to prohibit unsecured texting of PHI, the use of unsecured texting is rife.

As a maker of the secure, HIPAA-compliant texting solution Practice Unite®, our mission is to help hospital systems deliver better care more efficiently while protecting patient privacy. We hope the following short review of the issues surrounding the new HIPAA rule provides guidance regarding the steps healthcare leaders can take to improve their hospitals' compliance and reduce risk.

The final rule's effect on communications sent via secure mobile communications, as summarized below, should be urgently addressed.

Unsecured texting of PHI is a breach associated with significant penalties. Penalties for noncompliance are based on the level of negligence, with the greatest penalties applying to willful disregard of the law. The minimum penalty for willfully disregarding the rule is $50,000 per occurrence. The maximum penalty for similar violations is $1.5 million per calendar year. Hospitals and their workforces will likely be subject to these harsh penalties as they know or should reasonably know of the law.

The new rule broadens the scope of privacy and security by replacing the term "individually identifiable health information" with "protected health information." What your workforce may have considered "safe" to send via text may not be safe anymore. There is no such thing as a "safe" text if it relates to patients.

If you are aware unsecured texting is happening, you have a heightened responsibility to investigate and report. The final rule requires that you investigate "possible" violations due to willful neglect. The HITECH Act provides that a breach should be treated as discovered by a covered entity or business associate if "any person, other than the individual committing the breach, that is an employee, officer, or other agent of such entity or associate" knows or should reasonably have known a breach has taken place.

Until now, when the sending of an unsecured text was discovered, your responsibility was only to report it if you believed it posed a risk of harm. Now the standard for reporting potential breaches has been lowered and requires hospitals to report potential breaches if they pose a "risk of compromise."

The new rule requires covered entities to develop and document policies and procedures. These policies should include a listing of the sanctions for failure to comply. Does the hospital have policies and procedures in place to prevent unsecured texting of PHI?

The rule emphasizes the importance of ensuring that all workforce members are appropriately trained and knowledgeable about what constitutes a breach and how to file a complaint. The hospital's workforce needs to know the policies and procedures regarding possible breaches of unsecured protected health information. Do your providers and your staff know unsecured texting of PHI is strictly prohibited and how to file a complaint?

The final rule requires covered entities to provide electronic information to an individual in 30 days. Every individual request for information related to a breach of PHI requires a record of the communication.

This can be an onerous challenge. If the message was sent through an unsecured text, providers will have to get the texting records from all the parties involved from their mobile carriers.

Fortunately, secure texting solutions allow providers to view a report of a conversation in minutes. For example, all hospital staff members need to do is run a report through a simple, secure reporting tool to have complete record of the conversation in question.

What can hospital leaders do to better protect patient privacy and lower their risk of HIPAA penalties associated with unsecure texting of PHI?

1. Assess risk now. Hospital and health system leaders should evaluate whether they have the right policies and procedures in place, and how well providers and staff understand that unsecured texting of PHI is prohibited.

2. Inform providers and staff now. Let medical and nursing staff know as soon as possible that unsecured texting of PHI is absolutely prohibited – No exceptions. They need to know that each unsecured text that contains PHI could result in a $50,000 penalty.  

3. Provide an alternative. There are many secure, HIPAA compliant texting solutions on the market. These solutions make it simple to provide your staff with an encrypted texting application. We suggest that health systems take advantage of the opportunity to provide users with more than just texting. For example, Practice Unite allows users to find each other and consultants and hospital services easily, send consults, schedule procedures, communicate system-wide and receive targeted hospital news.

4. Ensure Adoption. In our estimate less than 20 percent of U.S. healthcare systems have deployed a secure texting solution. Moreover, successfully lowering risk requires an aggressive plan to ensure adoption. When selecting a vendor ask how it will support deployment and adoption. For example, does it provide marketing support to drive adoption and usage, and provide an account manager to directly engage with providers and staff?

5. Be able to report easily. Determine how quickly and efficiently the hospital or health system can comply with the law's requirements for reporting. If executives believe a breach may have occurred, how quickly can they gather and analyze the required communications records?

On Sept. 23, the stakes involved with protecting patient privacy became significantly greater. We strongly encourage healthcare leaders to assess the risks posed by unsecured texting of PHI, investigate ways to protect their patients’ privacy and implement a solution to protect their healthcare systems. If they are already taking steps to implement a secure texting solution, we encourage them to move ahead without delay.

For further information, visit, or contact Dr. Hochron at

Disclaimer: This review is for educational and marketing purposes only, and should not be considered legal advice, which can only be provided by a qualified attorney who is knowledgeable in the area of health law.

Stuart Hochron received his MD degree from New York Medical College and his JD degree from Rutgers Law School. He is a clinical professor in the department of medicine at Rutgers UMDNJ Medical School, is board certified in internal medicine and pulmonary medicine and has co-authored more than fifteen scientific articles in the field of respiratory physiology. Dr. Hochron lectures extensively to physicians, medical students and law students on best practices in the field of risk management and on the value of maximizing the physician-hospital relationship. He founded a law firm that specialized in advising hospital systems and healthcare providers. His efforts resulted in the creation of physician-hospital joint ventures and multi-specialty medical group practices. His goal, and that of Navio Health, is to introduce proven business tools that empower relationship management to increasingly complex and difficult to coordinate healthcare systems.

More Articles on HIPAA:
HIPAA Advice for Private Equity Firms 
Another Massive — and Totally Preventable – HIPAA Breach
Don't Let Human Error Compromise Patient Data

Copyright © 2024 Becker's Healthcare. All Rights Reserved. Privacy Policy. Cookie Policy. Linking and Reprinting Policy.


Featured Whitepapers

Featured Webinars