Many people falsely believe that traditional email and texting of private health information is HIPAA compliant. This is simply not true and anyone who is currently using these methods is putting their organization at risk.
HIPAA regulations require that all private health information (PHI) remain private and be only accessible by authorized personnel. This means that when transmitting PHI two things have to be ensured. First the PHI needs to be encrypted when being transmitted. This ensures that PHI remains private even when transmitted over a public network like the Internet. Second, PHI should only be viewable by the intended recipient and not by any entity that is being used to transport that information.
A good example of a HIPAA compliant method for delivering PHI is the US Postal Service (snail mail). When a doctor mails a letter containing PHI to a patient both criteria are met. Since the letter is in a sealed envelope and the seal will only be broken by the recipient, then no one along the transport path has access to the PHI including the postal service itself.
With these criteria in mind lets see why texting and email are not HIPAA complaint. When an email is sent lets see what is actually happening. Lets suppose a physician who has and email address like email@example.com sends an email to a patient whose email address is firstname.lastname@example.org. What happens here is that there are two email servers involved with the transmission of this email, one at community hospital and one at gmail. When Dr. Jones sends the email, his email client on his computer or smart phone connects with his email server at community hospital and transmits the email message to the community hospital server. Next the community hospital server finds where the gmail server is located on the Internet and then transmits the email to the gmail server using a standard protocol called simple mail transfer protocol (SMTP). SMTP is the protocol used to transmit information between email servers over the Internet and it is not encrypted. This is a why message sent via email are not secure and therefore not HIPAA compliant.
The analogy to this would be like mailing a letter without using an envelope. Anyone handling the letter could read the content of the letter.
What happens if someone at community hospital sends an email to someone else at community hospital? Is that HIPAA compliant? This depends on the setup of the community hospital mail server. If the server only accepts encrypted connections and never accepts connections from its clients that are not encrypted, then this transmission may be HIPAA compliant since the community hospital email server does not have to communicate with an outside server and the communication is only internal. Even in this situation, it is important to note that for anyone with a communityhospital.com email account, any communication coming from or going to an outside server (i.e. anyone without a communityhospital.com email address) is not HIPAA compliant.
What about texting? Is texting HIPAA compliant? First, we need to know that there two types of text messages. The first is simple message service or SMS messages. These messages are handled by cell phone carriers. These messages are not encrypted in transport and can also be read by personnel at the carriers themselves and are therefore not HIPAA compliant. The second type of text message is sent via a text message service like Apple’s iMessage. A service like iMessage does encrypt the message in transport, but this information is not handled in a HIPAA compliant manner by Apple which runs the servers for iMessage. It is for this reason that Apple clearly states that iMessage is not HIPAA compliant.
But email and texting are a very convenient method of communication. It is for this reason that many providers even knowing that these methods are not HIPAA compliant still use these methods clandestinely. But with MedTunnel which is a free service that works like email or texting, but is also HIPAA compliant, this is no longer necessary.
The main purpose of MedTunnel is to provide a free, HIPAA compliant, and secure service for transmitting private health information (PHI) through the Internet. The core architecture of our product was designed to meet HIPAA and security guidelines. MedTunnel provides a secure conduit through the Internet for PHI transmission. In fact, our security protocol is such that no one at MedTunnel, even at the CEO level can access PHI even if they wanted to.
Since MedTunnel acts only a secure conduit for PHI transmission and MedTunnel does not have access to any PHI and does not permanently store any PHI, a HIPAA Business Associate Agreement is not required in order to use MedTunnel. For more detailed information regarding our security protocol and HIPAA regulations compliance, please see below.
Client transmission to server – when someone sends a message
Server transmission to client – when someone retrieves a sent message
Only the sending and receiving client applications have access to PHI. MedTunnel and the Independent Third Party can not access PHI.