Conduct a risk analysis and manage the risks
Conducting a thorough analysis of all potential risks to the privacy of PHI will help you understand the specific measures you should take to safeguard information. These measures may be at the administrative level, the physical level, or the technical level. At the administrative level, covered entities must create policies and procedures for the prevention of security violations, and a continual monitoring process to ensure the continued protection of PHI. Physical access to PHI must also be secured, including access to facilities and systems on which health information is stored. Additionally, the disposal of storage systems and data must be controlled. At the technical level, controls should protect the access to PHI, such as the use of passwords or encryption. An excellent example of a comprehensive risk assessment done for the Project Health Design, Breath Easy research study
Exclude protected health information from messages
Sending private health-related messages to an individual cell phone is complicated because the owner of the phone is identifiable. In other words, if the owner of the phone can be identified, anything sent to that phone is also identifiable. One option for avoiding HIPAA compliance issues is to exclude individually identifiable health information from all text message communication. You might send out generic, “unidentifiable” text messages or messages may be sent in a code pre-established by the two communicating parties.
Verify the user's identity
Verifying the recipient of a text message can protect PHI from being disclosed to the wrong person. You may direct the recipient to access a secure website where they enter a password to see their message or direct the recipient to call in directly and speak with a member of the research team, or their personal physician, as warranted for your scenario.
Use only secure vendors
If your text messaging system is physically located within your organization, your organization is responsible for all security measures to protect stored PHI. However, you may choose to use a third party vendor to distribute and manage your text messaging. Many vendors have built-in security features that will protect information.
Institutional review boards
Institutional Review Boards (IRB) oversee the use of human subjects in research projects. We recommend consulting with the IRB at your institution. IRBs must comply with the U.S. Department of Health and Human Services requirements regarding the use of human subjects in research regarding the risks to, and the selection, consent, privacy, and protection of human subjects. A list of regulations is available at the U.S. Department of Health and Human Services website.