The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was established to regulate the use and disclosure of protected health information (PHI), which consists of "individually identifiable health information." HIPAA describes this information as any demographic information relating to past or present health conditions healthcare received, and payments for healthcare along with any identifiers such as name, address, birth date, and social security number.(1) HIPAA’s security rule includes specific security standards for the disclosure and storage of electronic health information and requires safeguarding of PHI. Text messaging is regulated under this rule when it involves the transmission and/or storage of PHI. The security rule requires covered entities to conduct a thorough risk analysis to determine threats to the safety of PHI. Some texting platform companies advertise that they are HIPAA compliant, but they provide secure communication only within a closed network.
FTC's CAN-SPAM Act of 2003
The Federal Trade Commission (FTC) enacted the CAN-SPAM law to protect the privacy of consumers. This law applies to text messaging campaigns and requires that recipients are told how to opt-out of receiving text messages and that those opt-out requests are honored in a timely manner. Penalties for non-compliance can reach up to $16,000.
FCC's Telephone Conusmer Protection Act
Telephone Consumer Protection Act, which is public law 47 U.S.C. §
227, originally passed in 1991 and affects text messaging. It has had
some modifications, the most recent of which took effect on October 16, 2013. However, the act exempts healthcare-related calls. Check with your legal department or the FCC website for more information.
The American Recovery and Reinvestment Act of 2009 includes the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was written to promote the use of technology in healthcare and ensure compliance to HIPAA rules. The HITECH Act increases the U.S. Department of Health and Human Service’s ability to impose penalties for violations of HIPAA rules. Under the HITECH Act, penalties for violations have a maximum of $1.5 million, and penalties cannot be barred for unknown violations unless corrections are made within 30 days.(2)
FDA regulations on medical devices
published its Mobile Medical Application Guidance for Industry and Food and
Drug Administration Staff on September 25, 2013. Although this document does
not apply specifically to text messaging, researchers may benefit from being
familiar with these guidelines and the FDA’s two regulatory approaches:
“regulatory oversight” and “exercise enforcement discretion”. A mobile app that “controls a medical device
or supplies patient-specific data to a medical device” will be regulated by the
FDA. In contrast, a mobile app that “helps patients document, show, or
communicate potential medical conditions to health care providers” would fall
under the “exercise enforcement discretion” category. The “exercise enforcement discretion”
category means that the FDA does not intend to enforce requirements under the
Food, Drug & Cosmetic (FD&C) Act. Text messaging applications that
allow health care providers communicate with patients could potentially fall
into this latter category.
- US Department of Health and Human Services – Summary of HIPAA (PDF)
- US Department of Health and Human Services (2009) HHS Strengthens HIPAA Enforcement
- U.S. Food and Drug Administration. (2013) FDA issues final guidance on mobile medical apps