Text Messaging to Communicate With Public Health Audiences
Text Messaging to Communicate With Public Health Audiences
HIPAA is best known for the Privacy Rule, which applies to individual health care information in all forms, whether oral, paper, or electronic. But HIPAA also includes the Security Rule, which applies when health care information is electronic. Whereas the Privacy Rule defines the circumstances in which individual health care information may be disclosed, the Security Rule defines the requirements for making such disclosures in electronic form.
Pursuant to congressional authorization, the US Department of Health and Human Services (HHS) issued the Privacy Rule and Security Rule to implement certain provisions of HIPAA. HHS issued the rules through a formal rulemaking process that included publication of proposed rules and a period of public comment before publication of the final rules. Congress provided for the rules to be enforced.
HHS has authority to enforce the rules, including investigating complaints and conducting compliance reviews. The HHS Web site contains information about complaints, investigations, and breaches but not in a format that allowed us to determine whether there have been enforcement actions or breaches involving text messaging.
Not all health departments in possession of health care information are covered by the Privacy Rule and Security Rule. The rules apply only to "covered entities" and their "business associates." A covered entity is a health care provider who electronically submits health care information in connection with certain transactions, a health plan, or a health care clearinghouse. If an organization conducts functions that make it a covered entity but other functions that do not, it may elect to be a "hybrid entity" and place only its covered functions under the rules.
A business associate is a person or entity that performs certain functions or activities involving the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. Our health department is a covered entity, so we are subject to the Privacy Rule and Security Rule.
Under the Privacy Rule, individually identifiable information held by a coveredentity about anindividual's health care is confidential. The Privacy Rule broadly defines confidential information as information that
[r]elates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.
In most contexts, this information is termed protected health information (PHI). The Privacy Rule applies to all PHI, whether electronic, paper, or oral. Under the Privacy Rule, an individual may authorize PHI to be disclosed. In addition, there are a variety of circumstances in which PHI may be disclosed without an individual's authorization, including in certain circumstances to protect public health.
The Privacy Rule came into play as we piloted our second-dose influenza text reminder service. Public Health—Seattle & King County conducts influenza vaccine clinics in which we provide free influenza vaccine to low-income or uninsured county residents. These clinics serve the dual purpose of increasing access to influenza vaccine and providing an opportunity to test Public Health—Seattle & King County's capacity to distribute vaccinations or other medicine rapidly to large numbers of people in the event of an emergency.
In November 2010, researchers conducted the daylong pilot project at 2 mass vaccination clinic settings in King County. The 1225 attendees included an ethnically and racially diverse group of adults and children. The department advertised the clinic through the media, community-based organizations, and flyers distributed in the community. Although most individuals require only a single dose of seasonal influenza vaccine, some children require a second dose 30 days after the first to become fully protected.
To help remind parents of children who required a second dose, we wanted to send them text messages 30 days after the flu clinic that clearly stated that it was time for their children to obtain the flu vaccine booster. Because we did not plan to hold a follow-up clinic, we needed to direct these parents to community resources. In this case, we referred parents to pharmacies and community clinics. Our draft message was as follows: "It's time for [child name]'s second dose of seasonal flu vaccine. Visit a pharmacy or clinic today for the booster to keep your child protected."
It is typically permissible to disclose information about a child's health care to his or her parents. When a patient is a minor, a covered entity usually may share PHI with parents or other legal representatives. The seconddose project presented this scenario: we wanted to disclose PHI to the child's parent or guardian, which was entirely permissible under the Privacy Rule. However, the information needed to be delivered in a secure manner per the Security Rule.
The Security Rule is different than the Privacy Rule. Even if a disclosure is permissible under the Privacy Rule—for example, when authorized by a patient or when necessary to protect public health—any disclosure that is electronic must be made in a manner that complies with the Security Rule. Electronic PHI is PHI that is "transmitted by electronic media" or "maintained in electronic media." Electronic media include "electronic storage media" and "transmission media used to exchange information already in electronic storage media."
We are not aware of case law or HHS guidance addressing whether text messages are subject to the Security Rule. In consultation with subject matter experts in our information technology, risk management, and legal departments, we concluded that a text message arguably is within the definition of electronic media because it involves data that exist in electronic form prior to transmission. In this way, transmission via a text message is different than transmission via telephone or facsimile. Because of this conclusion, we decided that, until there is authoritative guidance, we should proceed cautiously and assume that the Security Rule applies to text messages containing PHI. Consequently, to avoid triggering the Security Rule at all, we initially decided to use the approach of omitting PHI from our second-dose text messages.
How HIPAA Applies to Text Messaging
HIPAA is best known for the Privacy Rule, which applies to individual health care information in all forms, whether oral, paper, or electronic. But HIPAA also includes the Security Rule, which applies when health care information is electronic. Whereas the Privacy Rule defines the circumstances in which individual health care information may be disclosed, the Security Rule defines the requirements for making such disclosures in electronic form.
HIPAA Statutory and Regulatory Framework
Pursuant to congressional authorization, the US Department of Health and Human Services (HHS) issued the Privacy Rule and Security Rule to implement certain provisions of HIPAA. HHS issued the rules through a formal rulemaking process that included publication of proposed rules and a period of public comment before publication of the final rules. Congress provided for the rules to be enforced.
HHS has authority to enforce the rules, including investigating complaints and conducting compliance reviews. The HHS Web site contains information about complaints, investigations, and breaches but not in a format that allowed us to determine whether there have been enforcement actions or breaches involving text messaging.
Covered Entities and Their Business Associates
Not all health departments in possession of health care information are covered by the Privacy Rule and Security Rule. The rules apply only to "covered entities" and their "business associates." A covered entity is a health care provider who electronically submits health care information in connection with certain transactions, a health plan, or a health care clearinghouse. If an organization conducts functions that make it a covered entity but other functions that do not, it may elect to be a "hybrid entity" and place only its covered functions under the rules.
A business associate is a person or entity that performs certain functions or activities involving the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. Our health department is a covered entity, so we are subject to the Privacy Rule and Security Rule.
Protected Information and the Privacy Rule
Under the Privacy Rule, individually identifiable information held by a coveredentity about anindividual's health care is confidential. The Privacy Rule broadly defines confidential information as information that
[r]elates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.
In most contexts, this information is termed protected health information (PHI). The Privacy Rule applies to all PHI, whether electronic, paper, or oral. Under the Privacy Rule, an individual may authorize PHI to be disclosed. In addition, there are a variety of circumstances in which PHI may be disclosed without an individual's authorization, including in certain circumstances to protect public health.
The Privacy Rule came into play as we piloted our second-dose influenza text reminder service. Public Health—Seattle & King County conducts influenza vaccine clinics in which we provide free influenza vaccine to low-income or uninsured county residents. These clinics serve the dual purpose of increasing access to influenza vaccine and providing an opportunity to test Public Health—Seattle & King County's capacity to distribute vaccinations or other medicine rapidly to large numbers of people in the event of an emergency.
In November 2010, researchers conducted the daylong pilot project at 2 mass vaccination clinic settings in King County. The 1225 attendees included an ethnically and racially diverse group of adults and children. The department advertised the clinic through the media, community-based organizations, and flyers distributed in the community. Although most individuals require only a single dose of seasonal influenza vaccine, some children require a second dose 30 days after the first to become fully protected.
To help remind parents of children who required a second dose, we wanted to send them text messages 30 days after the flu clinic that clearly stated that it was time for their children to obtain the flu vaccine booster. Because we did not plan to hold a follow-up clinic, we needed to direct these parents to community resources. In this case, we referred parents to pharmacies and community clinics. Our draft message was as follows: "It's time for [child name]'s second dose of seasonal flu vaccine. Visit a pharmacy or clinic today for the booster to keep your child protected."
It is typically permissible to disclose information about a child's health care to his or her parents. When a patient is a minor, a covered entity usually may share PHI with parents or other legal representatives. The seconddose project presented this scenario: we wanted to disclose PHI to the child's parent or guardian, which was entirely permissible under the Privacy Rule. However, the information needed to be delivered in a secure manner per the Security Rule.
Electronic Information and the Security Rule
The Security Rule is different than the Privacy Rule. Even if a disclosure is permissible under the Privacy Rule—for example, when authorized by a patient or when necessary to protect public health—any disclosure that is electronic must be made in a manner that complies with the Security Rule. Electronic PHI is PHI that is "transmitted by electronic media" or "maintained in electronic media." Electronic media include "electronic storage media" and "transmission media used to exchange information already in electronic storage media."
We are not aware of case law or HHS guidance addressing whether text messages are subject to the Security Rule. In consultation with subject matter experts in our information technology, risk management, and legal departments, we concluded that a text message arguably is within the definition of electronic media because it involves data that exist in electronic form prior to transmission. In this way, transmission via a text message is different than transmission via telephone or facsimile. Because of this conclusion, we decided that, until there is authoritative guidance, we should proceed cautiously and assume that the Security Rule applies to text messages containing PHI. Consequently, to avoid triggering the Security Rule at all, we initially decided to use the approach of omitting PHI from our second-dose text messages.