I understand there is some ambiguity regarding providers communicating PHI with patients, and I'm having some trouble interpreting how it applies to me.
My provider developed software to engage patients via unencrypted SMS. My provider's medical practitioners will determine a patient is in need of monitoring and will develop or reuse a workflows to regularly request defined PHI from patients--such as diastolic and systolic blood pressure values. Patients will then be asked if they'd like to participate in follow-up engagement, be warned of insecurities involved in SMS, and be presented with a smartphone app or call alternative. Their consent recorded will be recorded. The provider's software would then follow the scheduled workflow from the patient's doctor to send a message via a 3rd party SMS service requesting PHI (dbp and sbp). The patient would respond to the text message with the PHI which would flow through the 3rd party SMS service and be encrypted in the provider's data center. All logs of messages through the 3rd party service are immediately deleted.
We have the advantage that doctors will be requesting the information for each individual patient, so they are deeming it medically necessary and are weighing the risks of patient's PHI being breached.
1) Could this potentially be allowed by the Security Rule of HIPAA? Bearing in mind the provider is not sending any PHI, rather requesting it.
2) Further, if PHI were breached, by someone reading the text messages of a participating patient or a cellular network man-in-the-middle attack, would the provider be held legally liable?
3) Finally, would the provider have to have a formal, documented risk analysis using the transmission security standard for each workflow defined for gather patient PHI?