In a world where everything is becoming increasingly instantaneous, communication is no different. In the healthcare industry, the importance of a message may mean workers choose ease of communication, like texting, over security. More and more, healthcare professionals are utilizing their mobile devices to support workflow. This can pose threats when the subject matter involves PHI.
Does Texting Violate HIPAA?
The language used in both the HIPAA Security and Privacy Rules is complicated and this can lead to misunderstandings of how HIPAA applies to texting. Depending on the content and/ or recipient of the text, and any mechanisms that may be in place to protect ePHI, text messages can be in compliance with HIPAA. However, where PHI or sensitive information is concerned, text messaging is not only inappropriate, but it breaks HIPAA Rules.
HIPAA does not directly address technology, like texting, with specific protocol, but it does instruct that each organization outline a number of factors relative to ePHI such as where it is stored, how it is accessed and how it is transmitted. It also implies that if information which could be easily encrypted, is not encrypted, it could be viewed as willful negligence by the organization. Healthcare organizations and providers, of all shapes and sizes, must be up to date with the current guidelines in order to avoid violating HIPAA rules and incurring hefty fines and possible criminal charges. Just earlier this year, the Catholic Health Care Services had to pay a $650,000 HIPAA fine after the theft of an employee's iPhone in a business-associate related issue that resulted in the information of 412 nursing home residents being compromised.
Penalties for Violating HIPAA
HIPAA violation penalties can cost an organization, and not just financially. The Office for Civil Rights (OCR) has the power to issue fines or action plans to covered entities who have breached HIPAA regulations. The financial repercussions are supposed to act as a deterrent and are tiered relative to how much knowledge the covered entity had of the violation.
There are four core categories under the penalty structure and fines attached to each:
Category 1: The covered entity was unaware of the violation and as such, could not have been avoided even if reasonable measures been taken to follow HIPAA rule. Fines range from $100 per violation to $50,000.
Category 2: The covered entity should have been aware of the violation but could not have avoided even with a reasonable level of care taken to meet HIPAA requirements. Fines may range from a minimum of $1,000 to $50,000 per violation.
Category 3: There was ‘willful neglect’ by the covered entity of HIPAA Rules, but an attempt was made to correct the violation. The minimum fine is $10,000 per violation and can be upward to $50,000.
Category 4: Willful neglect as per category 3, however where no attempt is made to remedy the violation.
The maximum financial penalty per violation, per year, is $1,500,000. Criminal penalties can range from one year, up to ten years in imprisonment if the individual is punished for HIPAA violation. However these laws vary slightly between states.
A Secure Texting Solution
Lua offers a streamlined, open communication platform that offers all the benefits of texting but in a secure, HIPAA compliant environment. There are many advantages to using a secure texting solution, and organizations can rest assured that HIPAA guidelines are being followed when communicating PHI and sensitive information.
Visit the Lua website for more information on HIPAA compliant messaging or to request a trial.