Getting the (Text) Message Out: Are Text Messages Secure?

HIPPA
Do HIPAA and text messaging play nicely together?

Cutting-edge medicine taps the newest technologies and approaches to improve care. At the other end of the medical innovation spectrum are the communication modes in use in many practices. Email on a desktop or laptop was once cutting edge, but it’s been replaced by instant messaging on phones or tablets, at least in the non-medical world.

That level of portability would seem tailor-made for medical professionals. However, HIPAA and other regulations haven’t moved as fast as mobile device capabilities. Even with the advent of EHRs, data exchange methods haven’t kept pace with industry expectations for privacy and convenience. To deliver the best care possible, it’s essential to meet patients on their own terms.

Most healthcare providers and vendors use file encryption to comply with HIPAA. Most secure e-mail tools focus on the body text of an e-mail, but the more worrying threat is what is appended to the message. It is essential to encrypt the files themselves, whether they’re digital X-rays, intake forms, recordings, or medical bills.

However, a 2014 survey of more than 1,100 medical practices and billing companies found that many respondents were not compliant with HIPAA’s Omnibus privacy and security regulations, compliance measures, and communication methods. Thirty-six percent of the providers, administrators, and medical office staff didn’t know about HIPAA’s updated rules. Of respondents who knew about the rules, only 58 percent said they had a HIPAA compliance plan.

The study also suggested billing companies may be doing better with compliance than medical practices and that there is a consistent information gap between management and staff when handling HIPAA compliance measures.

Pros and cons of SMS
While healthcare providers have focused on email, information exchange in the non-medical world moved on. Now, mobile devices are taking healthcare further into uncharted territory.

There are two schools of thought on SMS use for business operations. Some believe SMS usage poses limited risks; others believe it opens new doors to data breaches and other hacks.

SMS was originally designed for entertainment purposes and allows users to transfer files and images that can be decidedly non-HIPAA-compliant. SMS software wasn’t designed for transferring sensitive data such as personal health information (PHI).

Therefore, most hospital policies don’t allow texting of any clinical information. But regardless of whether or not hospitals permit physicians to text regarding clinical care, it is happening. The fact is that SMS is fast, easy, convenient, and geared toward mobile workers using smartphones and tablets rather than traditional desktops. Today, smartphone-based SMS, including texting, is used by more than 4 billion people worldwide.

The more alarming side of SMS is that information can stay on a device indefinitely and, without appropriate authentication methods, that information can be easily misdirected to an unauthorized recipient. Furthermore, the content of the messages is not controlled by the medical practice’s “security officer” (often a person wearing multiple hats).

Official guidance reflects ambivalence more than anything else. Case in point: in April, The Joint Commission ended its texting ban for clinicians. Then it reinstated the ban in July. It then said it would issue additional guidance in conjunction with CMS in September. That was four months ago.
As a recent Law360 post states, “… the texted communications must be part of the organization’s required ongoing risk analysis to identify gaps in security (risk of loss of the device, misdirection of the text, hacking, etc.)”

Physicians and just about everyone else in healthcare are trying to understand whether texting orders is legal and acceptable from an accreditation/regulatory perspective. Until that guidance appears, you should ensure that your office is using secure collaborative communication best practices, including those for texting medical orders. Answering these questions will help assure secure SMS:

  • Is patient data protected? Are communications, including orders, being sent and processed according to a practicewide policy for privacy and security policy? Practices should seek out services that allow providers to send and receive encrypted email on their mobile devices, as well as allow them to coordinate care with other entities.
  • Are providers able to text a medical order within a structured template that ensures the order is received by the right person, contains all required information, and is correctly interpreted? According to one study, inefficient communication costs US hospitals an estimated $11.2 billion in annually in employee time wasted.
  • Can your practice track the communication status in real time? Can the sender confirm that the right person received the order and correctly interpreted it?
  • Can orders be archived in patients’ records and other systems? Can the same system that is texting the order pull the information that’s needed to process it?

Texting is integral to daily life for most of the nation. If and when regulators and accreditors provide additional clarity, practices that have answered these questions as part of a communications strategy will be ready to get the word out quickly, accurately, and in a way that meets patients’ needs. HIPAA security officers, stand guard.

Leave a Comment