JUNE 2017

Introduction

Health Care providers and professionals are using mobile devices in their work. Covered entities must comply with HIPAA Privacy and Security Rules to protect and secure health information, even when using mobile devices. Your organization is responsible for developing and implementing mobile device procedures and policies that will protect the health information patients entrust to you.

THINK BEFORE YOU TEXT

Secure text messaging for healthcare has become an important compliance problem for hospitals with HIPAA regulations clearly stating that patient information must be kept secure at all times. Healthcare faces immediate risk as the need to integrate technology into a facility’s workflow increases. The use of mobile devices allows staff to improve communication regarding patient information with fellow workers, but this puts the facility at risk – violating HIPAA regulations.

In addition, there is a general security concern. Standard text services allow messages on devices to be read by anyone, lie unsecured on telecommunication providers’ servers, and they can easily be intercepted and read in transit. Without a solution using secure text messaging for healthcare, facilities risk patient information being intercepted while violating mandatory compliance laws.

The following article was published in Today’s Wound Clinic and should be shared in its entirety to illustrate the complexity and liability of texting in the HOPD.

HIPAA Privacy & Security Compliance: Think B4 U Send Text Messages

Roger Shindell, MS, CHPS, CISA

The risks associated with sending electronic protected health information (ePHI) via unencrypted text messaging are significant, especially given the climate of rising enforcement of compliance as it pertains to HIPAA and HITECH. However, there’s high demand among healthcare providers to use text messaging as a fast, convenient way to communicate and collaborate with both patients and colleagues. So, what gives? This article will discuss how clinicians can protect themselves when texting with their peers about patients and when texting with patients about their protected health information (PHI).

The Texting Reality

Texting within the healthcare space is commonplace among providers, with good reason. It’s an excellent way to communicate and touts convenience, expedience, and the ability to enhance patient care by connecting with other clinicians quickly. Besides texting about patients, providers are also texting with patients, with positive results. In one study where doctors used texting or email for perioperative messaging, 94% of family/friends felt more connected to their loved ones during surgery, with 90% of patients reporting an improved hospital experience. Yet, security-wise, there are many risks for breach of PHI. Additionally, there are multiple ways in which instant messages are shared in addition to texting through one’s cell phone. These include platforms such as WhatsApp, Facebook Messenger, QQ Mobile, WeChat, Skype,TM Viber, Line, and Blackberry Messenger, among others.

Moving forward, we will see continued expansion of texting and other digital messaging in healthcare settings. However, HIPAA security concerns are not receiving prime consideration. In one study, only 5% of physicians routinely used HIPAA- compliant text applications, regardless of their training level.3 This leaves practitioners open to HIPAA violations as well as potential malpractice if the information in texts is used to make treatment decisions. Research has indicated that reported barriers to HIPAA compliance in texting include inconvenience (58%), lack of knowledge (37%), unfamiliarity (34%), inaccessibility (29%), and habit (24%).

For some time, the Joint Commission disallowed text messaging among healthcare providers under its jurisdiction, but recently revised its position to allow texting with certain restrictions. These restrictions include that a secure messaging platform must be implemented that contains the following: secure sign-on process,
encrypted messaging,
delivery and read receipts,
date and time stamps,
customized message retention timeframes, and specified contact list for individuals authorized to receive and record orders.

While these rules provide some solid guidance, they do not address HIPAA security regulatory concerns. Organizations must have policies and procedures that address the security regulations, including administrative, physical, and technical safeguards (Code of Federal Regulations [CFR] 45 164.316). If texting involves PHI, policies and procedures about its use must be documented. To understand how texts and other digital-messaging platforms must be evaluated under HIPAA regulations, they must be included in an organization’s security-risk assessment. This process includes performing a risk analysis on how texting may put patient PHI at risk, finding ways to manage that risk, and including a sanction policy if providers violate the texting policies and procedures (CFR 45 164.308[a][1]). Some considerations regarding texting and other forms of digital messaging are:

• If texts reside on a mobile device indefinitely, there’s risk of exposure to unauthorized third parties via theft, loss, disposal, or recycling of the device. 

• Texts are generally not monitored by an organization’s information technology (IT) department, leaving a risk of interception by an unauthorized person, as well as potential malware.

• Using a cell phone on a public domain network increases risk of exposure of the ePHI transmitted from the device.
• There may be a lack of authentication in that, without proper access protection, anyone may access the PHI, risking inappropriate disclosure, alteration, or destruction of ePHI.
• Improper disposal of the device.
• The ePHI is unavailable to other providers if it’s needed. 

• Text messages may also reside on workstations or cloud computing in addition to the cell phone.
• ePHI stored on the phone is stored on the on-board memory, but can also be stored on the Subscriber Identity Module card, where it will likely remain.
• Some messages are stored online as a convenience to the subscriber.
• The privacy rule provides patients or their representatives rights to access and amend PHI about them that is maintained in the designated record set (DRS). Any information that is used to make treatment decisions (in whole or in part) must be entered into the DRS. 


An organization’s security-risk analysis should result in policies and procedures that include attention to:

• Defining and limiting the type of information that may be shared via text.

• Training of workforce on the proper use and circumstances of texting.

• Using a secure platform with password protection and encryption.

• Maintaining an inventory of all mobile devices that text ePHI (both organizationally owned and personally owned).
• Developing a process by which texts with ePHI will be entered into the DRS. 

• Defining policy regarding retention and deletion of texts.

• Including a notification to the workforce that the organization can legally search an employee’s mobile device when there is suspicion that HIPAA regulations are being violated.
• Having a clear sanction policy for improper use or disclosure of ePHI via a mobile platform.
• Disallowing highly sensitive ePHI being communicated via text.

• Defining how ePHI will be removed or destroyed from a device.
• Traditional texting does not allow for centralized audit controls via IT departments.

Also note that patients have the right to request that communication be made via text. Under CFR 45 164.52, individuals have the right to request alternative means of communication from their healthcare providers in order to ensure confidentiality. Examples of the types of communication to which this policy may apply include (but are not limited to):

• appointment reminders,
• billing statements,
• pre- or post-treatment/procedure calls,
• sending test results, and

• prescription refill reminders.

When a patient requests this alternative means of communication (ie, text messaging), requests must be in writing and are required to be accommodated. Additionally, providers must explain to the patient about the risk of using the alternative communication, such as text messaging. Typically, including this explanation in the written request that the patient signs will codify this requirement. While it can be extremely expedient and convenient to text about or even text with patients, texting does carry risks of HIPAA violations and HITECH regulations.

Texting can also increase malpractice risks when messages about treatment decisions are not included in the DRS. As outlined in this article, there are various ways providers or organizations can decrease their risks when employing texts in patient care. It’s incumbent upon the professional to balance convenience and expediency of texting with protecting patient care and privacy.