Is texting of pictures HIPAA compliant?



  • So yea, I've posted before about how I support a small department in our org that is contracted with the state to help people apply for government benefits. We are not a healthcare provider and don't collect health information, but the state tells us we need to follow HIPAA because they do and they consider us a BA.

    Anyway, normally we have a small team in the field who sits with a client one on one to help them apply and as part of that process our staff needs to collect verifying documentation to send to the state including IDs such as drivers licenses, income verification records such as letters from Social Security, paystubs, etc. etc. During pre-pandemic times, the client would bring this with them to their appointment and our team member would scan it and send it securely right then and there over a VPN directly to the state.

    Since we can't meet one on one with people anymore, we are looking to change our process to help people over the phone, but we still need to collect these supporting documents. We have clients who are not tech savvy and barely know how to use a computer, but they do know how to text and they want to take a picture of their stuff and text it to us. So this doesn't seem to me that it would pass compliance muster, but I just thought I would throw it out here and see what others think and if you would have any other suggestions for how people could securely send us these documents. The thing is, we are looking for something that is super user friendly. Like I said, a lot of these people can barely work email and texting is really the only thing they know how to do.



  • No, no use of texting is HIPAA compliant, in any way. There is no encryption at all, no security. You'll generally get away with it because HIPAA has no teeth and the least secure options are generally given a free pass, but the use of texting or fax will always give a way for prosecution as they are blatant disregards for HIPAA and even more fundamental security.



  • @beta said in Is texting of pictures HIPAA compliant?:

    Like I said, a lot of these people can barely work email and texting is really the only thing they know how to do.

    Isn't email easier than texting, rather than harder? Or the same? In both cases you send a picture to an address, that's all. One uses a long string of numbers not meant for humans to understand, the other uses a friendly address specifically meant to make that easier.



  • @scottalanmiller said in Is texting of pictures HIPAA compliant?:

    No, no use of texting is HIPAA compliant, in any way. There is no encryption at all, no security. You'll generally get away with it because HIPAA has no teeth and the least secure options are generally given a free pass, but the use of texting or fax will always give a way for prosecution as they are blatant disregards for HIPAA and even more fundamental security.

    I'm sorry, Scott. You're wrong on at least two counts.

    1. HIPAA violations are $10,000 per violation. That is a cumulative number. Any file or data lost with any single file, or data that is exposed, will count for each item. A directory with 100 photos (which must include PII) would count as 100 violations, times 10,000 equaling $1,000,000.
    2. Photos and texts are fine. You can do video meetings (though I would suggest a more secure technology than Zoom) and even conference calls. The caveat for business is that any data transmitted which is not intentionally ephemeral, like a video meeting, must be captured. That means that all those texts and photos have to be copied in to the patient record and since cell phones are inherently insecure, they will need some work to get secure. See section 164.316(b)(1) regarding data retention.

    You've diverged a little bit on the HIPAA security rule foundation (https://www.hhs.gov/hipaa/for-professionals/security/index.html). Part of the rules there allow a business to make decisions which may be insecure in order to allow business to continue, but those processes must be fixed once identified. In the case provided by @beta, I would suggest using MaaS360 since you can install to personal cell phones and partition personal from work data, and remotely wipe, force security policies, and encrypt as a rule. Most people won't want to install it on their phone once they read the waivers and warnings, and you'll wind up issuing work devices (which is actually better). Those devices, encrypted and locked, meet the data security requirements, and can have all the communications on a forced vpn. You only have to encrypt and secure what you have.

    Interestingly, if the photos don't include text, and there's no specifically identifying portion (like a face) or PII, then you can put those pics on the web. There's an entire subreddit for that: https://imgur.com/r/XRayPorn/. Without that allowance, Doctors couldn't share and learn.

    Now, whether or not attending an OB/GYN via video call makes your wife a cam girl...? I'll leave that to you.



  • @Grey said in Is texting of pictures HIPAA compliant?:

    I'm sorry, Scott. You're wrong on at least two counts.

    HIPAA violations are $10,000 per violation. That is a cumulative number. Any file or data lost with any single file, or data that is exposed, will count for each item. A directory with 100 photos (which must include PII) would count as 100 violations, times 10,000 equaling $1,000,000.

    Yeah, but they are never, ever used. In the real world, HIPAA is useless and is used to bypass violations that would be otherwise prosecutable. HIPAA on paper sounds scary, but the actual HIPAA process is useless.



  • @Grey said in Is texting of pictures HIPAA compliant?:

    That means that all those texts and photos have to be copied in to the patient record and since cell phones are inherently insecure, they will need some work to get secure. See section 164.316(b)(1) regarding data retention.

    Can't be done with texting. The mechanism by definition can't be secured. Texting doesn't imply cell phones, you can do without those and still text. But the data transmission is in the clear and a violation.



  • @Grey said in Is texting of pictures HIPAA compliant?:

    Part of the rules there allow a business to make decisions which may be insecure in order to allow business to continue, but those processes must be fixed once identified.

    Hence no teeth. Claim any level of incompetence or convenience and bypass any rule.



  • @scottalanmiller said in Is texting of pictures HIPAA compliant?:

    @Grey said in Is texting of pictures HIPAA compliant?:

    Part of the rules there allow a business to make decisions which may be insecure in order to allow business to continue, but those processes must be fixed once identified.

    Hence no teeth. Claim any level of incompetence or convenience and bypass any rule.

    This is why HIPAA is a removal of security, not an addition of it. Without HIPAA guidelines, companies aren't allowed to prioritize business over patient data. HIPAA is meant to protect the exposure of data, not prevent it. It makes it harder to sue civily over a blatant exposure of data.



  • Have the users install Signal.
    https://www.signal.org/



  • @Pete-S said in Is texting of pictures HIPAA compliant?:

    Have the users install Signal.
    https://www.signal.org/

    Installing an app seems like way, way more work than just sending a picture via email. If the easiest thing is too hard, something harder is impossible.



  • @scottalanmiller Scott, I know it doesn't seem like a big difference ease of use re:email/texting, but to some of the people we serve, it really is. They may not even have an email address to start with and walking them through how to sign up for one, attach files, etc is a lot harder for them than just going to their text messages and putting in a phone number. I feel the same way, but it is a reality of the population we serve.

    We do have a 3rd party email filtering service that allows us to send encrypted emails (Zix) and my thinking was that probably our process should be that we send the client an email through that and then they can upload their documents and send it back to us through Zix. This requires the client to have an email though and for them to register for Zix when they first click the link we send them. Again, this doesn't sound like a lot, but given the population we serve, it can literally take an hour to walk someone through how to do this if they get it done at all.

    Texting photos of their stuff really is the easiest option for them, but I didn't think this was secure enough and was looking to see if I was correct. I tend to err on the side of being super secure if possible, but I don't want to put false limitations on us if they are not needed and interfere with helping people.



  • @scottalanmiller Yup exactly. Trying to get the client to install a separate app on their phone would be quite the challenge haha.



  • @beta said in Is texting of pictures HIPAA compliant?:

    @scottalanmiller Yup exactly. Trying to get the client to install a separate app on their phone would be quite the challenge haha.

    I figure neither of you have used the Signal app and don't know anything about it. Your loss.



  • @scottalanmiller said in Is texting of pictures HIPAA compliant?:

    @Grey said in Is texting of pictures HIPAA compliant?:

    Part of the rules there allow a business to make decisions which may be insecure in order to allow business to continue, but those processes must be fixed once identified.

    Hence no teeth. Claim any level of incompetence or convenience and bypass any rule.

    Bypassing the rules intentionally can still get you fined. Incompetence, as a defense, can only go so far. For example, systems that were implemented in 2000 would not have been secure, but by today's standards are laughable. A new system, like texting or photo submission, would violate the "data in transit" rule and this is literally your entire argument. You're so hung up on that that all I have to do is say "fax machine" to make you blow a gasket. The truth here is that businesses must accept data that's going to be insecure by nature, such as a fax, and are considered accepted practice. The only requirement from HIPAA is that the intended destination has a BA in place to accept PII.

    The 'data in transit' rule here would apply within the organization. If you have an opportunity to transmit securely to a BA partner, you should use something like SFTP. HIPAA doesn't have a rule for receiving from a patient since they don't have the resources to transmit securely, though the spirit of the document would suggest that every attempt is made.



  • @Grey said in Is texting of pictures HIPAA compliant?:

    You're so hung up on that that all I have to do is say "fax machine" to make you blow a gasket.

    This is the example I use all the time. Data in transit is supposed to be protected. Using fax or texting isn't just breaking the rules, it's flaunting that HIPAA can't do anything, ever, in the most dramatic, obvious, known to everyone way. To a point where a patient knowing it was allowed could still sue even without a HIPAA breach and the only defense would be "But HIPAA is so useless, we thought it protected us."



  • @Grey said in Is texting of pictures HIPAA compliant?:

    HIPAA doesn't have a rule for receiving from a patient since they don't have the resources to transmit securely, though the spirit of the document would suggest that every attempt is made.

    That's true, as long as the patient initiates it entirely voluntarily.



  • @Grey said in Is texting of pictures HIPAA compliant?:

    The truth here is that businesses must accept data that's going to be insecure by nature, such as a fax, and are considered accepted practice.

    "Accepted" solely because HIPAA allows it, not because the industry allows it. From an IT perspective, any data sent over fax is a breach. Only HIPAA makes us not consider it a breach.



  • @scottalanmiller said in Is texting of pictures HIPAA compliant?:

    @Grey said in Is texting of pictures HIPAA compliant?:

    Part of the rules there allow a business to make decisions which may be insecure in order to allow business to continue, but those processes must be fixed once identified.

    Hence no teeth. Claim any level of incompetence or convenience and bypass any rule.

    Yes, I'm sure every doc's office enjoys having a HIPAA audit. No doubt that the rehab facility for Scott Disick is throwing a party over their current violation.

    I've gone through these audits, and assisted the government agent in gathering requested data. There are tools to scan and identify problems. The HHS has plenty of teeth.



  • @scottalanmiller said in Is texting of pictures HIPAA compliant?:

    @scottalanmiller said in Is texting of pictures HIPAA compliant?:

    @Grey said in Is texting of pictures HIPAA compliant?:

    Part of the rules there allow a business to make decisions which may be insecure in order to allow business to continue, but those processes must be fixed once identified.

    Hence no teeth. Claim any level of incompetence or convenience and bypass any rule.

    This is why HIPAA is a removal of security, not an addition of it. Without HIPAA guidelines, companies aren't allowed to prioritize business over patient data. HIPAA is meant to protect the exposure of data, not prevent it. It makes it harder to sue civily over a blatant exposure of data.

    Did you just...? You replied to yourself? I mean... Self-agreement is great but don't argue with the wrong self. Or something.





  • @scottalanmiller said in Is texting of pictures HIPAA compliant?:

    @Grey said in Is texting of pictures HIPAA compliant?:

    You're so hung up on that that all I have to do is say "fax machine" to make you blow a gasket.

    This is the example I use all the time. Data in transit is supposed to be protected. Using fax or texting isn't just breaking the rules, it's flaunting that HIPAA can't do anything, ever, in the most dramatic, obvious, known to everyone way. To a point where a patient knowing it was allowed could still sue even without a HIPAA breach and the only defense would be "But HIPAA is so useless, we thought it protected us."

    "fax machine!!!"

    🍿



  • @Grey said in Is texting of pictures HIPAA compliant?:

    The HHS has plenty of teeth.

    They really don't. They do these audits but EVERY doctor brags and flaunts their violations and not caring because HIPAA can't or doesn't touch them. It's a big joke. Yeah, once in a while you can find an example of someone so bad that they got caught. But for every story of things happening like they should, there is a hundred stories of people laughing at HIPAA for being useless and keeping them from having to meet minimum professional standards that they would otherwise be accountable to.



  • @Grey said in Is texting of pictures HIPAA compliant?:

    @beta https://www.wrcbtv.com/story/41974356/hipaa-and-texting-is-sending-a-message-compliant

    Thanks. So I think basically you and Scott are in agreement with MY particular situation, no? This would not be advisable and I should look for another way to have the documents sent to us. Or at the very least, it looks like we can inform the client that texting is not a secure form of communication, but if they want to do it they can? I have a feeling a lot of clients honestly wouldn't mind.



  • @Grey said in Is texting of pictures HIPAA compliant?:

    @beta https://www.wrcbtv.com/story/41974356/hipaa-and-texting-is-sending-a-message-compliant

    I like how they say "there are ways to make texting compliant" and instantly follow with the only obvious answers which are to stop texting and do something else.



  • @beta said in Is texting of pictures HIPAA compliant?:

    @Grey said in Is texting of pictures HIPAA compliant?:

    @beta https://www.wrcbtv.com/story/41974356/hipaa-and-texting-is-sending-a-message-compliant

    Thanks. So I think basically you and Scott are in agreement with MY particular situation, no? This would not be advisable and I should look for another way to have the documents sent to us. Or at the very least, it looks like we can inform the client that texting is not a secure form of communication, but if they want to do it they can? I have a feeling a lot of clients honestly wouldn't mind.

    Not advisable, but as long as the patient is aware and initiates it, should be okay.



  • While texting may pass a compliance check, we know it's not secure and can result in identity theft very easily even if not intercepted. It's going to sit on their phone probably indefinitely after they download it. Texting images doesnt always work. Many times I have had issues downloading images from texts.

    Encrypted email or providing web portal access is the way to go. Anyone with a smart phone has an email address, and for the few people that have flip phones or rotary dial phones they will likely need an email address to track their own government benefits and login to government portals.



  • When I worked in Connecticut, employees at GE headquarters had their cell phones all hijacked by another company sharing their building and all of their texts (ALL of them) were captured and stored by another company (with conflicts of interest as well.) Any text sent to someone there was guaranteed to be not just intercepted, but stored. And they had no way to know because of the complete lack of security in texting.


Log in to reply