In Reply Dr Choi and Mr Intner raise several worthwhile considerations about text messaging security that highlight disparate interpretations of federal regulations but fail to show that SMS is explicitly prohibited by HIPAA.
Although secure messaging offers higher standards for information security, HIPAA is technology neutral and has no specific guidelines for security protocols. This neutrality, along with the “reasonably anticipated risk” standard, has allowed alphanumeric text pagers and fax machines, which are unencrypted and unsecure, to be the gold standard in health care telecommunication for decades. During that time, innumerable text pages and fax messages with protected health information have surely been lost, misdirected, or left unsecured, resulting in breaches. Yet little attention has been given to these unsecured communication forms. But now, with growing financial appeal and public attention, dozens of vendors have created a market for secure text messaging products. However, these products are not truly “HIPAA compliant” because there are no standards with which to comply.
Drolet BC. Security of Text Messaging in Clinical Care—Reply. JAMA. 2017;318(14):1396. doi:10.1001/jama.2017.12966
* * SCHEDULED MAINTENANCE * *
The JAMA Network Sites will be conducting routine maintenance from 10/20/2017 through 10/21/2017. During this window access to content and authentication may be intermittently available. The JAMA Store will be completely unavailable during the maintenance window.