Use of cellular text messaging (SMS / MMS / RCS) for communication of ePHI is discouraged. Mobile devices and text communications are always subject to risks: devices can be lost or stolen, and text messages can be sent to the wrong phone number or person. Use alternate, and more secure, forms of communication whenever possible.
In some situations, cellular text communications may be preferred by research participants. Before using text messages to communicate ePHI, you must ensure that your use of mobile devices and content meet the guidelines contained in this appendix.
This policy strictly covers the use of cellular text message using the SMS, MMS, and RCS protocols. Other use of cellular messaging including images, movies and all other non-text forms of messaging or the use of other protocols are prohibited for use with ePHI. The use of all other mobile device message applications like iMessage, Facebook Messenger, WeChat, Hangouts, WhatsApp, etc. are prohibited for use with ePHI.
Cellular text messaging is an insecure method of communication and must only be used when the research participant has given written consent by signing the University’s Consent Form. In addition, the guidelines below must be followed:
- Written consent is obtained prior to any text messaging with the research participant.
- The consent is in a format that is accessible to the research participant.
- Alternate secure methods are presented to the research participant. Phone, postal mail and UMN secure email are considered secure.
Restrict ePHI Sent and Received
Always limit ePHI to the minimum necessary and consider the privacy of research participants when developing message contents.
- Avoid sending private University data in messages.
- Avoid sending specific health information or diagnoses.
- Whenever possible, restrict message content to non-health information.
- Do not save names or other identifiable data within mobile device contacts.
- Remove any received messages once acted upon. Prioritize acting upon and removing messages that contain ePHI.
Mobile devices used for contact with research participants must be owned by the University, used solely for University business, kept updated throughout the communication period, and managed according to all applicable University policies.
- Only University owned mobile devices may be used. Use of the mobile device for anything other than University business is prohibited.
- The mobile device must be fully managed and supported by the University’s Health Sciences Technology (HST) group and meet all requirements of HST.
- Utilize large, well known cellular carriers.
- Devices must be factory reset / wiped at the beginning and end of the usage period.
- Lost or stolen devices must be reported to the University according to Administrative Procedure: Report Information Security Incidents.
- New devices must be purchased through HST.
Device Handling Documentation
The unit must document the handling of the mobile devices. This documentation must include:
- Procurement of the device.
- Management of the device by HST.
- Interval that messages on the device are cleared.
- Inventory and tracking.
- Factory reset upon study completion, device repurposing, or device retirement.
- Reporting of lost or stolen devices.
- Remote wiping.
The unit must document the process for communication with research participants. This includes but not limited to:
- Obtaining consent.
- Type and content of messages to send.
- Periodic deletion of sent messages on mobile device.
- Method for recipients to stop receiving messages.