I am seeing more and more healthcare providers using their mobile phones to communicate via text with patients and while researching found an article related to this practice and the potential HIPAA violations. Here’s a snippet from that article….
So what’s the problem?
Unfortunately, traditional SMS messaging is inherently nonsecure and noncompliant with safety and privacy regulations under the Health Information Portability and Accountability Act (HIPAA). Messages containing electronic protected health information (ePHI) can be read by anyone, forwarded to anyone, remain unencrypted on telecommunication providers’ servers, and stay forever on sender’s and receiver’s phones.
In addition, senders cannot authenticate the recipient of SMS messages (ie, senders cannot be certain that the message has been sent to and opened by the right person). Studies’ have shown that 38 percent of people who text—including me—have sent a text message to the wrong person.
As a result, The Joint Commission has effectively banned physicians from using traditional SMS for any communication that contains ePHI data or includes an order for a patient to a hospital or other healthcare setting. A single violation for an unsecured communication can result in a fine of $50,000; repeated violations can lead to $1.5 million in fines in a single year, not to mention the reputational damage done to an organization and its ability to attract patients.
A recent case, for example, resulted in a $50,000 fine to the provider. In addition, the provider was required to “implement security measures sufficient to reduce risks and vulnerabilities to ePHI to a reasonable and appropriate level for ePHI in text messages that are transmitted to or from or stored on a portable device.”
The Joint Commission did not ban all text messaging solutions, however. Instead, it established Administrative Simplification Provisions (AS) that serve as guidelines for developing secure communication systems. Under the AS guidelines, the following four major areas are critical to compliance:
- Secure data centers—Healthcare organizations typically store patient information in either onsite or offsite (cloud) data centers. HIPAA requires these centers to have a high level of physical security as well as policies for reviewing controls and conducting risk assessment on an ongoing basis.
- Encryption—AS stipulates that ePHI must be encrypted both in transit and at rest.
- Recipient authentication—Any communication containing ePHI must also be delivered only to its intended recipient. A texting solution should allow the sender to know if, when, and to whom a message has been delivered.
- Audit controls—Any compliant messaging system must also have the ability to create and record an audit trail of all activity that contains ePHI. For a text messaging system, this includes the ability to archive messages and information about them, to retrieve that information quickly, and to monitor the system.
Standard consumer-based messaging systems fail most of these requirements. The data centers are often not designed with the highest levels of physical and data security. Messages can be intercepted and are not encrypted. Recipient authentication is not available and, although messages and delivery details may be stored indefinitely, they are not designed to provide a fully functional audit trail.
Secure text messaging solutions
By using a private, secure texting network, doctors, nurses, and staff can not only send and receive patient information, but also potentially achieve the following goals:
- Shorten response times
- Improve the accuracy of decision making by having better information
- Allow multiple parties involved with clinical decision making to be looped in on the same message
- Allow for quicker interventions and improve patient outcome
- Securely communicate lab results, imaging results, patient procedures, and medical histories, allowing the physician to have more information readily available.
- Speed up on-call notifications
- Eliminate the hassle of callbacks
- Integrate with scheduling systems to create automatic notifications of pending events