Why We Do Not Send Protected Health Information via SMS

At On Call Central, we take security and patient privacy seriously. One of the questions we frequently receive relates to the manner in which we send SMS notifications to providers. On Call Central SMS notifications are conspicuously absent of protected health information (PHI) for one simple reason: it is illegal. While we grant that many answering services will (in our view, very foolishly) send providers SMS messages containing sensitive health information, it is almost certainly a HIPAA violation for them to do so.  While many view the risk of jail time for violating HIPAA as being low, it is certainly not unheard of.  Just ask this guythis physician and two employeesthis LPN, and this nurse.  Not only is SMS an unencrypted protocol, but several other fundamental problems–ranging from network design and physical security to eavesdropping and interception risks–make SMS an entirely inappropriate means by which to transmit PHI. The smart folks over at qliqsoft have done an excellent job of summarizing exactly why SMS is not HIPAA compliant.

It’s worth understanding the penalties for knowingly violating HIPAA.

Per section 1177 of HIPAA, a person who knowingly

  • uses a unique health identifier, or causes one to be used;
  • obtains individually identifiable health information relating to an individual; or
  • discloses individually identifiable health information to another person;

is in violation of HIPAA regulations. Such persons are subject to the following penalties:

  • a fine of up to $50,000, or up to 1 year in prison, or both; (Class 6 Felony)if the offense is committed under false pretenses, a fine of up to $100,000, up to 5 years in prison, or both; (Class 5 Felony)
  • if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, a fine up to $250,000, or up to 10 years in prison, or both. (Class 4 Felony)
  • HIPAA also provide for civil fines to be imposed by the Secretary of DHHS “on any person” who violates a provision of it. The maximum is $100 for each violation, with the total amount not to exceed $25,0000 for all violations of an identical requirement or prohibition during a calendar year. (Class 3 Felony)

HIPAA violations are felonies that are tried in Federal court.  As such, you can be stripped of the following rights if you are convicted of a HIPAA violation:

  • The right to vote
  • The right to run for office
  • The opportunity to serve in the military
  • The right to own or use a firearm

While the constraints imposed by HIPAA may be inconvenient, any rational person will agree that hearing about the details of Ms. Smith’s carpal tunnel via SMS isn’t something for which you should risk a felony charge.