Cellular Text Messaging of Limited ePHI with Research Participants
Appendix to Policy
Use of cellular text messaging (SMS / MMS / RCS) for communication of ePHI is discouraged. Mobile devices and text communications are always subject to risks: devices can be lost or stolen, and text messages can be sent to the wrong phone number or person. Use alternate, and more secure, forms of communication whenever possible.
In some situations, cellular text communications may be preferred by research participants. Before using text messages to communicate ePHI, you must ensure that your use of mobile devices and content meet the guidelines contained in this appendix.
This policy strictly covers the use of cellular text message using the SMS, MMS, and RCS protocols. Other use of cellular messaging including images, movies and all other non-text forms of messaging or the use of other protocols are prohibited for use with ePHI. The use of all other mobile device message applications like iMessage, Allo, Hangouts, WhatsApp, etc. are prohibited for use with ePHI.
Cellular text messaging is an insecure method of communication and must only be used when the research participant has given written consent by signing the University’s Consent Form. In addition, the guidelines below must be followed:
- Written consent is obtained prior to any text messaging with the research participant.
- Alternate secure methods are presented to the research participant. Phone, postal mail and UMN secure email are considered secure.
Restrict ePHI Sent and Received
Always limit ePHI is to the minimum necessary and consider the privacy of research participants when developing message contents.
- Avoid sending private University data in messages.
- Avoid sending specific health information or diagnoses.
- Whenever possible, restrict message content to non-health information.
- Do not save names or other identifiable data within mobile device contacts.
- Remove any received messages once acted upon. Prioritize acting upon and removing messages that contain ePHI.
Mobile devices used for contact with research participants must be owned by the University, used solely for the University purpose of transmitting ePHI, kept updated throughout the communication period, and managed according to all applicable University policies.
- Only dedicated mobile devices may be used. Use of the dedicated mobile device for any other University or personal business is prohibited.
- Mobile devices must be supported by the manufacturer. The only allowed devices are those that can be updated to the latest operating system versions at the beginning of the usage period, and that are predicted to receive updates during the expected usage period. You should communicate with the manufacturer to determine if the device you are using is scheduled to receive updates during the usage period.
- Utilize large, well known cellular carriers.
- Devices must be factory reset / wiped at the beginning and end of the usage period.
- Before a device is used, the device must be registered according to policy and configured according to the most recent Security Configuration.
- Lost or stolen devices must be reported to the University according to Administrative Procedure: Report Information Security Incidents.
Device Handling Documentation
The unit must document the handling of the mobile devices. This documentation must include:
- Procurement of the device.
- University registration according to policy.
- Interval that messages on the device are cleared.
- Inventory and tracking.
- Factory reset upon study completion, device repurposing, or device retirement.
- Reporting of lost or stolen devices.
- Remote wiping.
The unit must document the process for communication with research participants. This includes but not limited to:
- Obtaining consent.
- Type and content of messages to send.
- Periodic deletion of sent messages on mobile device.
- Method for recipients to stop receiving messages.