Breaking news: Texting has pervaded the world of healthcare providers. After years of avoiding this form of communication, providers are now using text messages to get patient information to the right people.
However, along with the benefits of fast communication, texting comes with some risks. Those who send unencrypted text messages of Electronic Protected Health Information (ePHI) face some major risks of falling out of compliance with HIPAA and HITECH regulations.
Avoiding Unsecured Texting Risks
As enforcement of HIPAA regulations intensifies, the risks of sending unencrypted text messages also increases. Although communicating with colleagues via text messaging is convenient and fast, encryption is vital to maintain HIPAA and HITECH compliance with patient privacy rules.
A medical organization should take the following steps, at a minimum, to avoid the risks. Of course, the common practice of faxing patient information to another provider is even less secure, but texting faces many similar risks.
To avoid the dangers of insecure texting and enhance HIPAA compliance, consider these three components to design a text message strategy. These steps lay the groundwork for a thoughtful plan to better secure your texts.
- Establish a written policy for text communications.
- Evaluate and select a secure text message solution.
- Design and manage the texting solution chosen.
Since the HIPAA Security Rule requires your practice to perform a risk analysis, including addressing text messaging as a component, you must identify effective “administrative, physical and technical controls” necessary to minimize the risks of sending patient information by text. Compare current text messaging methods versus other options that could better protect ePHI.
HITECH also requires the practice to note the methods adopted for “breach notification,” to comply with the HIPAA Privacy Rule. Breaches include “the acquisition, access, use or disclosure” of PHI, including lost or stolen cell phones falling into the hands of others not authorized for access to patient records. How do you plan to notify about a breach and eliminate PHI that may reside on a lost or stolen cell phone?
HIPAA Compliant Texting Policy
Your practice policy should apply to everyone in your organization, physicians and support staff alike. Even independent contractors and some vendors may fall under your policy if they have a Business Associate Agreement (BAA) in force with your practice.
To avoid non-compliance, include the following features in your texting policy.
- All text messages, whether sent by mobile device or computer, containing ePHI, must be transmitted in encrypted form.
- These messages should not be decrypted and stored on cell phones or the cellular providers’ servers that could be accessed by unauthorized persons.
- Establish safeguards for practice staff when sending or receiving ePHI-based text messages, including password protection, device automatic locking during inactivity and sending minimum patient information only.
Suggested Policy and Implementation Guidelines
These guidelines should be “must do” actions when texting PHI.
- Always confirm the identity of the text recipient.
- Confirm delivery and receipt of text messages.
- Don’t use any shorthand or abbreviated terms.
- Never text patient orders.
- Document all text messages (or notations thereof) in patent medical records.
- Delete all text messages with ePHI as soon as possible or when enclosed information is no longer needed.
- Report unencrypted text messages, sent or received, containing ePHI to the practice HIPAA Security Officer immediately.
By including the noted safeguards in your practice policy and implementing them will better secure your text messaging. Your written texting security policy, followed by using it as designed by practice personnel, should avoid HIPAA non-compliance problems.
Installing appropriate solutions to maximize the security of your text messages, along with remedial procedures should you suspect a breach, helps you protect and defend your patient medical records from unauthorized viewing or use. You will have satisfied the intent, focus and mandates of the HIPAA Security Rule.