Who knew that a culture raised on TV would get so sucked into a medium called “texting?” Well, we did. And so did our clients! So let’s take a look at how texting fits into the HIPAA compliance picture.
First, we need to nail down what we’re talking about. Unlike “email,” the word “texting” has a somewhat vague meaning. If pressed to define it, many would say that texting just means using the classic texting technology called “SMS.” Others would disagree. Let’s break those concepts down.
What is “SMS?”
Classically, “texting” meant to send messages between mobile phones using a clever little technology called Short Message Service, or SMS. You may have heard of SMS. It refers to a very specific way of delivering text messages that was originally designed in the 1980s specifically with mobile services in mind.
Much like email, SMS was built before its designers imagined anyone using it for sensitive communications. It truly is a clever tech that, when you look under the hood, appears more like an engineering workaround than a deliberate communications method. It works great for its intended purpose, but it has no real security built into it to maintain confidentiality.
Funny enough, though, I’m sure no one ever says, “I’ll SMS you later.” We say, “I’ll text you later.” And the meaning of that phrase is surprisingly non-specific.
What is “Texting?”
To explain this one, we’ll start with the term, “messaging.” Messaging is a very generic term that refers to any mechanism of sending messages back and forth. Email and SMS are both telecommunications protocols that are used to do messaging, for example.
“Texting,” in today’s parlance, usually means messaging in the form of short, often informally written, messages using a mobile device.
We typically imagine texts as associated with mobile phones, be they smartphones or more classic cellular phones. This is true despite the fact that the same messaging tech, including SMS messaging, can be used from any Internet-connected computer.
The idea of “texting” is that it can be done quickly, possibly using just one hand. People in the exchange can fire off messages quickly and read them even more quickly.
Adept texters can have a conversation almost as quickly as if they were speaking on the phone. The difference is that texting is asynchronous, which allows texters to engage in their messaging conversation while doing something else by means of switching their attention back and forth between the conversation and the other task(s.) Although mental health professionals can identify a wealth of health and safety concerns associated with this style of conversation, it is nevertheless preferred by a large number of people in the industrialized world.
Now that we know what SMS, texting and messaging are, let’s explore the landscape of technologies we use for for texting.
SMS vs. Proprietary Messaging Apps
When we text using classic cellular phones (i.e. not smartphones) or using the basic texting feature of Android and Windows smartphones, we are using SMS to exchange our texts. It’s a different story, however, when we use apps, or when we use the basic texting feature on iPhones.
iPhone texting defaults to using Apple’s proprietary messaging app called iMessage. iMessage can be used on iPhones, iPads, and any kind of computer.
A proprietary app is one that is privately owned and privately controlled. Apple is the owner of iMessage, and has full control over the software, the network that moves information for it, and the servers that store information for it. In other words, iPhone users put their trust in Apple to handle the information responsibly. In return, those users receive whatever benefits Apple can provide in the form of useful features for the messaging service.
When two iPhones text each other, they do so through iMessage. In other words, all the text messages are facilitated entirely by Apple’s proprietary messaging service using Apple’s company network and servers. You know this is happening on an iPhone when the messages sent are colored blue. iMessage also allows people on computers and tablets to exchange texts with iPhones.
When iPhones text with non-iPhones (e.g. Android phones, classic cell phones, etc.), they use SMS. In other words, those messages are facilitated entirely by the phone companies that service each person’s phone, using both of those phone companies’ networks and servers (Apple’s network is not involved.) You know this is happening on an iPhone when the messages sent are colored green.
The iPhone gives us an example of how texting is not limited to SMS, but it isn’t the only example of how people today text over a variety of messaging services.
At the time of writing, these messaging apps are all popular ways to accomplish texting on smartphones. Unlike SMS, they can also be easily used on tablets and computers:
- Facebook Messenger
- Other social network direct messaging (e.g. Direct messages through Twitter, Venmo, Tinder, Grindr, etc.)
Only one of the apps on that list can provide what we need for HIPAA compliance (we’ll reveal which one below.)
Because all these apps are entirely managed by a particular company, we rely on those companies to handle our information responsibly and to provide the features we need to maintain our HIPAA compliance and ethical standards.
When we exchange SMS messages, we are relying on our phone company and the client’s phone company to handle the information responsibly. There isn’t just one company involved, which can sometimes give us more freedom of choice.
Texting and HIPAA/Ethics
From HIPAA’s perspective, there is little real difference between email and texting. Any time protected health information is sent across the Internet, it will be subject to HIPAA’s Transmission Security standard. (Health and Human Services, 2005) Most professional ethics codes also mandate transmission security. See our article on non-secure messaging for detailed citations.
This is one reason why it’s useful to think about the idea of messaging. Any tech that sends messages across the Internet is a kind of messaging and is subject to transmission security standards from HIPAA, ethics codes, and any other standard. Email, SMS, and all kinds of texting apps do exactly that.
Similarly, when a third party holds, sends, or receives protected health information for us, they are subject to HIPAA’s Business Associate rule. (Health and Human Services, 2005) See our article on Business Associates for details.
Although SMS does not rely on proprietary apps under the control of specific companies, it also does not provide any security measures that protect the confidentiality of SMS messages as they pass across the Internet (e.g. encryption.) If we as a global society wanted secure SMS, we could accomplish that. We don’t have it at the moment, however. As such, SMS is really only usable by ethical and HIPAA-compliant US healthcare professionals in contexts where non-secure messaging is acceptable. See our article on non-secure messaging for further information.
So it seems that when we absolutely have to have that transmission security piece taken care of in our texting service, we have to turn to those proprietary apps.
The advantage of controlling the whole messaging process within one company is that the company can simplify complicated processes like encryption. There’s no need for any time-consuming login rigmaroles like we get with “encrypted email” services. The company’s software can take care of all that under the hood.
The disadvantage is that we have to fully trust the company to manage our protected health information for us in a responsible and HIPAA-secure manner. And we have to trust them to do so in the future, as well. In order to do that, we at the very least need one of these two things to be true about our relationship with the company:
- The company executes a HIPAA Business Associate agreement with us, or…
- The manner in which the company handles our information qualifies them for the conduit exception from the Business Associate Rule. An investigation of the company also must leave us confident that they will continue to provide secure and reliable services that meet our needs going forward. (If you need help with this process, it is one of the services we provide as part of Person-Centered Tech Support.)
Proprietary Apps That Work
It’s interesting to note that the Joint Commission (a US organization that accredits medical programs) recently lifted a ban on medical providers’ texting orders for patient care because of the emerging availability of good quality, secure proprietary texting apps. (Join Commission, 2016) Their announcement listed the features that the commission requires these apps to have, and we believe the following features from that list should be considered by mental health clinicians who wish to adopt a proprietary texting app for work with clients:
- Secure sign-on process.
- Encrypted messaging.
- Delivery and read receipts. This means the app will tell everyone in the conversation when messages have been successfully delivered and when they have been seen by the recipient. Most proprietary texting apps do this.
- Date and time stamp.
The following item from the Joint Commission’s list of desirable features seems better suited to their need, which is to safely send orders from providers to medical team members. While therapists in communication with clients can make use of this feature if managed carefully (more below), we don’t recommend it as something you require in your texting apps.
- Customized message retention time frames. This means that the app can destroy messages after a certain period of time, and that you are able to change what that timeframe is. You need to be careful with this one, and you may be able to safely skip this feature.
Here are some examples of proprietary texting apps that provide Business Associate Agreements and are generally designed to meet the quality and security needs of healthcare providers:
- Qliqsoft (Free version available!) (Also: they only provide BAAs to those who ask. Out of an abundance of caution, we recommend asking for one.)
- Vinitial. Vinitial has the advantage of being designed for therapist-patient interaction, and many clinicians and clients may find it easier to use than other options on this list.
So those are some apps that do the BAA thing. But what about all those post-Snowden apps that are designed for privacy from government spying? If they can protect us from the government, then surely they can keep our PHI confidential, right? And a consistent feature of these apps is that they prevent the company that owns them from seeing our messages. So they should qualify as conduits under the HIPAA Business Associate Rule, right?
There are two important differences between HIPAA-secure apps and typical “government-resistant” apps.
- Government-resistant apps often accomplish their ends by destroying messages after some period of time. While this can be desirable if done properly, it can also prevent you from being able to properly document your exchanges with clients. Remember that healthcare security isn’t just about keeping information confidential — it’s also about keeping it safe and available all the way up until that day when it’s legal to destroy a client’s records. If you can manage a reliable and consistent way to make sure you retain messages before they’re destroyed, of course, then this problem will be solved.
- While these apps always work to keep the contents of your messages private even from the company providing the app, many of them still retain records about who exchanged messages with whom. This is called “metadata.” Any company that maintains your messaging metadata is, according to HIPAA, maintaining protected health information on your behalf. As such, you would be required to get a Business Associate Agreement with the provider.(For those who’ve been wondering about WhatsApp: while it does provide end-to-end encryption, it also maintains your metadata. As such, WhatsApp would have to execute a BAA with you to be HIPAA-secure. Since they don’t do that, WhatsApp is out of the HIPAA race!)
So are there any simple, fully free, fully conduit exception-qualifying, Joint Commission quality features-having texting apps out there? We know of one:
- Signal, from Open Whisper Systems. Signal does not collect metadata, it encrypts from end-to-end, and it has all the quality features on our list above. What’s more, Open Whisper Systems is a community-funded company that only produces Open Source software for the purpose of providing service to the world community. They are endorsed by numerous giants in the American security world, including Bruce Schneier and Edward Snowden. Note that Signal recently added the ability to set messages to destroy themselves after they’re read. You need to ask clients not to use this feature, since documenting messages is important.
Before we close this section, it is vital to consider that every app we’ve discussed here requires a smartphone to use. While most therapists have the means to buy and maintain smartphones, not everyone we serve does (yet.) This should be taken into consideration when working with each individual client. See our article on non-secure messaging for further discussion.