What Is the Security Rule? Why Does It Matter?

As public health professionals, one of our key roles is to provide credible, timely health information to the public. Text messaging is an important communication channel that public health departments should consider. However, the Health Insurance Portability and Accountability Act (HIPAA) Security Rule raises issues regarding the use of text messaging in the context of public health practice.

Text messages that carry protected health information (PHI) are subject to the HIPAA Security Rule, which requires covered entities to conduct an assessment of the risks and vulnerabilities of electronic health information.

How We Assessed Risks and Vulnerabilities

A research team at Public Health - Seattle & King County took the following steps to identify the legal issues that are relevant for health organizations who want to sent PHI via text message:

  • Identified the scope of the risk analysis
  • Evaluated the potential threats and vulnerabilities in proposed messages that contained protected heath information
  • Assessed current security measures that would apply to SMSThe sending of 160-character messages over a cell phone or through a web-based interface to one or more cell phone recipients.
  • Determined the likelihood of a threat occurring
  • Assessed the potential impact on the individual and organization
  • Identified mitigation strategies
  • Documented the process
  • Wrote a policy to guide employees who want to use text messaging to reach the publicIndividuals who can opt in to receive general educational health promotion and prevention messages. and their clientsA member of the public who presents for health care (mental or physical), including minors and adults receiving health care, social services, dental services and other health care services from an organization. Clients/patients include deceased persons who have received care.

To see this policy and download a template, continue on to Developing a Policy.

Confidential stamp