Telcoms Store SMS Text Message Details: Not HIPAA Compliant
By John Lynn
As an extension to my previous post called “Texting is Not HIPAA Secure” I wanted to point out some data that Wired posted about Telcom’s SMS message retention policies.
The information was found in a Department of Justice document and I believe is a good illustration for why PHI should not be sent through traditional SMS text messaging. Here’s the chart that wired created showing the major Telcom providers record retention policies:
| VERIZON | T-MOBILE | AT&T | SPRINT |
|
TEXT MESSAGE DETAIL |
|||
| 1 yr rolling | 2 yrs pre-paid 5 yrs post-paid |
5-7 yrs post-paid | 1.5-2 yrs |
| VERIZON | T-MOBILE | AT&T | SPRINT |
|
TEXT MESSAGE CONTENT |
|||
| 3-5 days | 0 days | 0 days | 0 days |
|
IP SESSION INFORMATION |
|||
| 1 yr rolling | 0 days | 0 days public IP 3 days private IP |
60 days |
|
IP DESTINATION INFORMATION |
|||
| 90 days | 0 days | 3 days | 60 days |
|
CALL DETAIL RECORDS |
|||
| 1 yr rolling | 2 yrs pre-paid 5 yrs post-paid |
5-7 yrs post-paid | 1.5-2 yrs |
|
BILL COPIES (POST-PAID ONLY) |
|||
| 3-5 yrs | 0 yrs | 5-7 yrs | 7 yrs |
The top 2 sections are the most important when it comes to secure text messaging. Last I checked, the telcom servers weren’t HIPAA secure. Not to mention, I can’t say I’ve seen a Telcom provider sign a business associate agreement with a healthcare provider. Neither of these things are likely to ever happen.
The challenge is that text message is so valuable in healthcare. It’s such a simple and flexible way to communicate between doctors, nurses, staff, HIM, etc etc etc.
This is why I predict over the next year we’re going to see a huge uptick in adoption of secure text messaging by third parties. The technology is there. We just need wider spread adoption of it in healthcare.
Semel Consulting works with Covered Entities, Business Associates, and Subcontractors to properly manage HIPAA compliance.
MIKE SEMEL | www.SemelConsulting.com