Skip to main content
King County logo

Legal analysis: Read the latest analysis of the legal ramifications of sending protected health information, featured in the American Journal of Public Health:

Text Messaging to Communicate With Public Health Audiences: How the HIPAA Security Rule Affects Practice
Hilary N. Karasz, Amy Eiden, and Sharon Bogan. American Journal of Public Health: April 2013, Vol. 103, No. 4, pp. 617-622.

Abstract: Text messaging is a powerful communication tool for public health purposes, particularly because of the potential to customize messages to meet individuals’ needs. However, using text messaging to send personal health information requires analysis of laws addressing the protection of electronic health information.

The Health Insurance Portability and Accountability Act (HIPAA) Security Rule is written with flexibility to account for changing technologies. In practice, however, the rule leads to uncertainty about how to make text messaging policy decisions.

Text messaging to send health information can be implemented in a public health setting through 2 possible approaches: restructuring text messages to remove personal health information and retaining limited personal health information in the message but conducting a risk analysis and satisfying other requirements to meet the HIPAA Security Rule.

Texting 101: Chapter 4

Implementing public health texting messaging: Some legal and logistical considerations.
Enlarge video.

Security concerns become particularly important when sending more sensitive health information via text message. What are the risks associated with the technology? How likely are these risks to occur? What are ways to mitigate these risks, particularly when sending sensitive health information? These are some of the questions the researchers explored.

For more information, please contact the authors by email: Hilary Karasz, Amy Eiden, Sharon Bogan


Text messaging for vaccine reminders

OVERVIEW: Investigators conducted a pilot project to learn about how to set up a texting program that could be utilized in the event of a public health emergency and to test people's willingness to participate in a texting program from Public Health. During a mass flu vaccination exercise, we asked parents of children who needed two doses of flu vaccine if they would like to receive a text message reminding them to return for a second dose of vaccine. Of parents whose children needed a second dose of vaccine, 84% opted in to the texting program in the first year of the pilot and 95% opted in during the second year.

Through the pilot project, researchers also explored issues of working with a text messaging vendor and uncovered many important legal issues related to using text messaging to communicate protected health information to the public

View the presentation on our pilot project from the 2011 Preparedness Summit held in Atlanta, GA in February 2011.

METHOD/PARTICIPANTS: We piloted the text messaging project at two mass vaccination exercises in the fall of 2010 and 2011. Educators utilized an algorithm to assess whether children receiving the flu shot at the mass vaccination exercise needed a second dose in thirty days. Parents were then asked if they wanted to receive a text message reminder and provided their cell phone number and whether they wanted a text message in Spanish or English. Researchers utilized a third-party texting vendor to send a text message reminder to those who opted-in to the program.

RESULTS: In year one of the pilot, 84% of parents whose children needed two doses of vaccine opted in to receive text messages. In year two, 95% of eligible parents opted in to the program.

RECOMMENDATIONS:

  • Explore health communication gaps within your health department and how texting might fill those gaps in efficient and effective ways.
  • You must get individuals' permission to send them text messages. Piggyback on other interactions with public health audiences to assess whether your particular audiences are interested in receiving text messages from Public Health and what kinds of messages they are interested in receiving.
  • Start small and expand. It takes some time to learn to write brief 160 character messages, to work with texting vendors and to train staff on sending text messages using texting systems. Start with a small program and then expand once you have some experience.

This pilot project also available in PDF format


Legal considerations for implementing text messaging for Public Health

Legal analysis: Read the latest analysis of the legal ramifications of sending protected health information, featured in the American Journal of Public Health:

Text Messaging to Communicate With Public Health Audiences: How the HIPAA Security Rule Affects Practice
Hilary N. Karasz, Amy Eiden, and Sharon Bogan. American Journal of Public Health: April 2013, Vol. 103, No. 4, pp. 617-622.


OVERVIEW: As public health professionals, one of our key roles is to provide credible, timely health information to the public. Text messaging is an important communication channel that public health departments should consider. However, the Health Insurance Portability and Accountability Act (HIPAA) Security Rule raises issues regarding the use of text messaging in the context of public health practice.

Text messages that carry protected health information (PHI) are subject to the HIPAA Security Rule, which requires covered entities to conduct an assessment of the risks and vulnerabilities of electronic health information. To identify the legal issues that are relevant for health organizations that want to send PHI via text message, our research team:

  1. Identified the scope of the risk analysis,
  2. Evaluated the potential threats and vulnerabilities in proposed messages that contained protected heath information,
  3. Assessed current security measures that would apply to SMS,
  4. Determined the likelihood of a threat occurring,
  5. Assessed the potential impact on the individual and organization
  6. Identified mitigation strategies, and
  7. Documented the process.

METHOD/PARTICIPANTS: Researchers worked with the University of Washington's Center for Information Assurance and Cybersecurity to conduct a risk analysis of sending protected health information via SMS. Specifically, the risk analysis identified vulnerabilities that are under the control of a local health department, such as Public Health – Seattle & King County; are under medium control of a health department; and, are out of the control of a health department (such as vulnerabilities at the mobile phone carrier level).

RESULTS: The report identified the risks and vulnerability of sending PHI in two scenarios and several mitigation steps to reduce these risks.

RECOMMENDATIONS:

  • Determine if the message you are planning to send contains protected health information (PHI).
  • Assess if your health department is a covered entity and therefore subject to federal privacy and security laws.
  • Meet with legal teams within your department to conduct a risk analysis of using text messages to send PHI and to address all standards within the Federal HIPAA Security Rule.

This pilot project also available in PDF format