By Adam H. Greene former Senior Health Information Technology and Privacy Specialist at the HHS Office for Civil Rights, where he was responsible for applying the HIPAA Privacy, Security, and Breach Notification Rules to health IT, now a partner in the Health IT/HIPAA practice of Davis Wright Tremaine.
On Sept. 19, 2011, the U.S. Department of Health and Human Services (HHS) announced recommendations from an internal Text4Health Task Force on ways in which HHS can best utilize text messaging to improve population health. One of the issues raised by the Task Force is the need for further research and guidance on the privacy and security of health text messaging.
The Text4Health Task Force (of which the author was a member while at HHS) recommends that HHS:
Develop and host an evidence-based text message library for use in a variety of text messaging programs, such as smoking cessation, emergency response/preparedness, early childhood health, maternal/child health, heart disease, diabetes, mental health, oral health and obesity;
- Research the effectiveness of health text messaging programs;
- Develop partnerships across government and non-governmental organizations for health texting initiatives;
- Improve coordination within HHS on texting initiatives;
- Integrate health text messaging with other health information technology initiatives;
- Conduct further research into the privacy and security risks associated with text messaging of health information and establish guidelines for managing such privacy and security issues; and
- Develop regulatory guidelines for the use of text messaging to treat, cure, mitigate, or prevent diseases or conditions.
On the privacy and security front, the Task Force’s recommendations provide a mixed message. Clearly, the current administration is embracing texting technology and believes that it holds great potential in the area of health care. However, HHS recognizes that there is still a great deal of ambiguity with respect to the privacy and security issues surrounding text messaging and the application of laws such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules.
For health care providers and those involved in mobile health technology, these recommendations mean that they need not completely foreclose the idea of using text messages to assist patients, and HHS supports novel technological initiatives to improve health, but organizations need to tread carefully until HHS conducts research into and publishes guidance on the privacy and security issues. Until such guidance comes, organizations that wish to create text messaging programs may want to thoroughly document their analyses of the privacy and security risks and consider whether there are technologies available to mitigate those risks.
More from Greene: When HIPAA applies to mobile apps