This article first appeared on mHealthNews on December 18, 2013. Click here to see the original version

mobile-health-news-himss-media_tn

As the demand for mobile health solutions grows exponentially, seemingly in line with the rapidly expanding capabilities of smartphones, you would think that ‘archaic’ technology such as SMS would be on the wane. The truth is far from it.

Mobile health providers who have traditionally focused on SMS-based services such as Voxiva – the SMS pioneers who four years ago launched the groundbreaking Text4baby service – are continuing to see rapid growth with their text-based services. Other mobile health solution providers who use mobile applications are starting to add SMS to broaden their reach. And for several years now the Department of Health and Human Services has run a dedicated initiative called Text4health, focused on providing text-based health applications.

So what makes SMS sometimes a preferable option to the richer interfaces offered by a mobile app or mobile web solution?

First, it’s the sheer ubiquity of SMS. Literally, 100 percent of mobile phones now come SMS-enabled. Most post-paid mobile users now have unlimited texting in their plan. And with 1-in-3 mobile users opting for prepaid devices which often do not support mobile apps, even these now typically come with a bundled text messaging package. This makes texting cheaper than it has ever been. And that is particularly important because the segment of the population most in need of mobile health solutions are typically those who can least afford it.

Add to that the complexity and cost of developing multiple applications for iOS, Android, Windows and Blackberry in order to reach only a percentage of the population, and the rationale starts to become clearer.

But developing text-based applications is not without its challenges. In the United States, communication is restricted to 160 characters per message (140 in Canada), and there are cumbersome carrier requirements to which text programs must adhere. Security is also cited as a concern. Message content cannot be encrypted without downloading an application to the device that imposes many of the same previously mentioned constraints inherent in a mobile app.

So does this mean that text-based applications should not be used in mHealth?

A study published earlier this year in the American Journal of Public Health (AJPH) by Hilary N. Karasz, PhD, Amy Eiden, JD, and Sharon Bogan, MPH, titled “Text Messaging to Communicate With Public Health Audiences: How the HIPAA Security Rule Affects Practice” looked at whether text messaging could be used effectively for public health purposes while remaining compliant with the HIPAA Security Rule. The study concluded that “Text messaging to send health information can be implemented in a public health setting through 2 possible approaches: restructuring text messages to remove personal health information and retaining limited personal health information in the message but conducting a risk analysis and satisfying other requirements to meet the HIPAA Security Rule.”

The specific requirement they refer to in the security rule is the need to meet encryption standards for the transmission of electronic Protected Health Information (ePHI) which are defined as being “addressable” rather than “required.” But the term “addressable” should not be mistaken as meaning optional. Rather, it means the standard should be implemented if reasonable and appropriate. Where it is not reasonable and inappropriate, the solution provider must document why it is not and implement any reasonable alternative security measure.

According to Adam H. Greene, JD, MPH, a HIPAA attorney at the law firm Davis Wright Tremaine, “For a HIPAA-covered entity or business associate to transmit ePHI through SMS the entity should identify whether encryption would be reasonable and appropriate and, if not, document why not and whether there are reasonable alternative security measures. For example, in the case of texting ePHI that would cause minimal harm if obtained by unauthorized persons, the entity can document that encryption is not reasonable and appropriate. In contrast, it may not be appropriate to send particularly sensitive ePHI through SMS.”

Despite this, there remains a prevalent misconception within the healthcare industry that text messaging in general is not HIPAA-compliant. And this is resulting in some mHealth solution providers shying away from text messaging because it is simply too hard to persuade healthcare officials that the benefits outweigh any potential risk. Infield Health, is a case in point. Despite a recent study published in the scientific journal “Computers, Informatics, Nursing” which showed that through the use of Infield Heath’s text-based HealthySteps app participants lost an average of 4.5 pounds more in a 12-week period than those who were left to their own volition, Infield Health is moving away from providing SMS based solutions.

“There’s a view among the healthcare providers we work with that SMS isn’t allowed under HIPAA,” said Doug Naegele, Infield Health’s president, “and whether that’s a real or perceived threat, that single perception takes SMS off the table. And that’s unfortunate because it keeps a proven health intervention out the hands of a lot of patients.”

Infield Health is not alone. Many companies that continue to offer SMS-based mHealth solutions face an uphill battle trying to persuade the industry that the likelihood and impact of any possible breach pales in comparison to the health benefits that can be gained, and as a result are at pains to demonstrate how they avoid sending sensitive data to the device.

“The reality is that SMS text messaging is one of the most personal and private means of communications available, and there is no reason to think it is any less secure than traditional modes such as voice, email, and print,” says Scott Werntz, president of Agile Health. “There are many ways you can ensure that SMS communications stay within the bounds of established security norms. For example, if you’re helping program participants develop healthy habits like regularly monitoring their blood glucose levels, you can use SMS messages to directly link them to secure online tools to provide their glucose values.”

Another approach is to break the information into separate nondescript messages. For example, a text containing a user’s blood glucose level could be sent as nothing more than a number, which on its own means nothing. Only by viewing the entire string of text messages would the data make any sense.

Of course that risk still exists, but how big is it really? There have been reported cases of cell cloning or text interception, but whoever was trying to intercept the data would not only need the equipment and knowledge to do this but would also need to be physically located near the cell tower and the user at the exact time the message was being sent. Not to mention that illicitly intercepting telecommunication services is illegal. And even if someone did go to all that effort, the most they would get was the information for a single user.

More likely, the texts are read by a family member or a friend who may have access to the recipient’s mobile device. But why is that any different to that same family member reading a letter or an e-mail that has been left unsecured? Surely it is the recipient’s responsibility to safeguard the data they have requested they be sent, whether this be by mail, e-mail or SMS. When the text arrives on the user’s mobile device it has at that point entered his or her custody, so it is reasonable to assume he or she should be responsible for protecting it.

Like all new technologies, or old ones used in a new way, the initial reaction is often one of concern. But if we can get past this reticence we will see that while technology might change, precedents can normally still be found that can be appropriately applied. And the use of SMS is no different. While you cannot fully eliminate the risk of a breach, it needs to be placed in context and assessed against the potential benefits. And a quick review of the OCR data breach list suggests our attentions may be more appropriately directed towards other areas of more likely concern.

Grant Elliott is the founder and CEO of Ostendio.