Cellular Text Messaging of Limited ePHI with Research Participants

Use of cellular text messaging (SMS / MMS / RCS) for communication of ePHI is discouraged. Mobile devices and text communications are always subject to risks: devices can be lost or stolen, and text messages can be sent to the wrong phone number or person. Use alternate, and more secure, forms of communication whenever possible.

In some situations, cellular text communications may be preferred by research participants. Before using text messages to communicate ePHI, you must ensure that your use of mobile devices and content meet the guidelines contained in this appendix.

This policy strictly covers the use of cellular text message using the SMS, MMS, and RCS protocols.  Other use of cellular messaging including images, movies and all other non-text forms of messaging or the use of other protocols are prohibited for use with ePHI. The use of all other mobile device message applications like iMessage, Facebook Messenger, WeChat, Hangouts, WhatsApp, etc. are prohibited for use with ePHI.

Obtain Consent

Cellular text messaging is an insecure method of communication and must only be used when the research participant has given written consent by signing the University’s Consent Form (PDF). In addition, the guidelines below must be followed:

1. Written consent is obtained prior to any text messaging with the research participant.
2. The consent is in a format that is accessible to the research participant.
3. Alternate secure methods are presented to the research participant. Phone, postal mail and UMN secure email are considered secure.

Restrict ePHI Sent and Received

Always limit ePHI to the minimum necessary and consider the privacy of research participants when developing message contents.

1. Avoid sending private University data in messages.
2. Avoid sending specific health information or diagnoses.
3. Whenever possible, restrict message content to non-health information.
4. Do not save names or other identifiable data within mobile device contacts.
5. Remove any received messages once acted upon. Prioritize acting upon and removing messages that contain ePHI.

Equipment Requirements

Mobile devices used for contact with research participants must be owned by the University, used solely for University business, kept updated throughout the communication period, and managed according to all applicable University policies.

1. Only University-owned mobile devices may be used. Use of the mobile device for anything other than University business is prohibited.
2. The mobile device must be fully managed and supported by the University’s Health Sciences Technology (HST) group.
3. When purchasing a new mobile device, the following are required by HST:
   1. Mobile phones must be Apple iPhones. Tablets must be iPads (purchasable through the Bookstore). Androids or any other branded phone/tablet will not be supported under HST.
   2. Select one of the latest models of phones sold by Apple. "SE" models are excluded.
   3. The phones/tablets must be brand new out of the box, not refurbished.
   4. The unit must contact HST to implement device management before use at [email protected].
4. Utilize large, well known cellular carriers.
5. Devices must be factory reset / wiped at the beginning and end of the usage period.
6. Lost or stolen devices must be reported to the University according to Administrative Procedure: Report Information Security Incidents.

Device Handling Documentation

The unit must document the handling of the mobile devices. This documentation must include:

1. Procurement of the device.
2. Management of the device by HST.
3. Interval that messages on the device are cleared.
4. Inventory and tracking.
5. Factory reset upon study completion, device repurposing, or device retirement.
6. Reporting of lost or stolen devices.
7. Remote wiping.

Communication Documentation

The unit must document the process for communication with research participants. This includes but not limited to:

1. Obtaining consent.
2. Type and content of messages to send.
3. Periodic deletion of sent messages on mobile device.
4. Method for recipients to stop receiving messages.