HIPAA Compliant Texting App

An Important Communications Tool for Healthcare Organizations

A HIPAA compliant texting app is an important communications tool for healthcare organizations and other covered entities. Apps for HIPAA compliant text messaging can be used to comply with the administrative, physical and technical safeguards of the Security Rule in order to prevent data breaches, mitigate the risk of malware infecting an organization´s computer systems and accelerate the flow of communication in a healthcare environment.

Apps for HIPAA compliant text messaging have far-reaching benefits for healthcare organizations and other covered entities. Issues regarding script errors or the payment of invoices can be resolved much faster with apps for HIPAA compliant text messaging, the apps can be integrated into an EMR to help meet the requirements of the Meaningful Use incentive program, and a HIPAA compliant texting app can be used to maintain communications during an emergency or disaster.

Why Secure Messaging Apps Have Become so Important

The risk of a data breach has never been greater. Research has shown that 87% of physicians (Manhattan Research) and 67% of nurses (American Nurse Today) use personal mobile devices to “support their workflows”. A more detailed study conducted by Wolters Kluwer in 2013 provided more insight into how the personal mobile devices were used and the risks to the integrity of electronic Protected Health Information (ePHI). The study revealed:

  • 44% of medical professionals use a personal mobile device to communicate with colleagues – often about patient healthcare.
  • 17% of medical professionals access patient data from their personal mobile device for healthcare purposes.
  • 12% of medical professionals that use a personal mobile device in the workplace access patient data for billing purposes.

Unless safeguards are put in place to protect the integrity of ePHI at rest and in transit, each of these actions can potentially result in a data breach of PHI – either through the interception of a message on an unprotected communications network or if a personal mobile device is lost or stolen. The blame for the data breach rarely lies with the individual, but with the healthcare organization or other covered entity that may have promoted the use of personal mobile devices through BYOD Policies.

According to the HSS Office of Civil Rights, the increased number of personal mobile devices in the workplace has resulted in an increased number of data breaches. The Office of Civil Rights attributed more than two-thirds of data breaches last year to lost or stolen portable devices – laptops, personal mobile devices and USB flash drives. The majority of these data breaches would have been avoided if healthcare organizations and other covered entities had complied with the HIPAA Security Rule.

Compliance with the HIPAA Security Rule

The administrative, physical and technical safeguards of the Security Rule stipulate the conditions that have to be in place for the compliant communication of ePHI. These can be summarized as follows:

  • The Administrative Safeguards require that a security officer is assigned to identify and analyze potential risks of a data breach. The security officer must evaluate, select and implement security measures to reduce potential risks and vulnerabilities to a reasonable level and is responsible for the management of access to ePHI and workforce training.
  • The Physical Safeguards relate to the physical security of data and access to where it is maintained. In relation to communicating within a healthcare environment, the physical safeguards cover the security of computer systems, desktop computers, media and mobile devices – how they should be protected from environmental hazards, intrusion and hacking.
  • The Technical Safeguards primarily concern the transmission of ePHI – how it should be communicated to avoid an unauthorized disclosure of ePHI, how communications should be monitored to ensure message accountability and what archiving specifications should be implemented to prevent the unauthorized amendment or deletion of patient data.

The primary issues concerning the HSS Office of Civil Rights about the increasing volume of data breaches fall into three areas – identity authentication, automatic logoff and transmission security. The resolution of these three issues would significantly reduce the risk of a data breach resulting from the loss or theft of a portable device, or the interception of ePHI while it is in transit.

Identity Authentication, Automatic Logoff, and Transmission Security

Healthcare organizations allowing the use of personal mobile devices or promoting BYOD policies should be aware that communications sent by SMS, email and commercially available messaging apps generally fail to comply with the requirements for identity authentication, automatic logoff, and transmission security. The Security Rule states that covered entities must:

  • “Assign a unique name and/or number for identifying and tracking user identity.” § 164.312(a)(2)(i)
  • “Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.” § 164.312(a)(2)(iii)
  • “Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.” § 164.312(e)(1)

A HIPAA compliant texting app requires that authorized users log into their apps at the beginning of each session with a unique, centrally-issued username and PIN. If the app is not used for a predetermined period of time, the user is logged out of the app to prevent the unauthorized disclosure of ePHI when a desktop computer or personal mobile device is left unattended. Transmission security is discussed below.

With a HIPAA compliant texting app, the issues of identity authentication, automatic logoff, and transmission security can be resolved without losing the convenience or speed of mobile technology. Apps for HIPAA compliant text messaging also enable the automatic archiving of ePHI to protect its integrity once it has been created and allow for easy retrieval.

Transmission Security and Encryption

Despite being an “addressable” safeguard, the encrypted transmission of ePHI is necessary in almost every scenario – the exceptions being when ePHI is communicated between a doctor and a patient, and when communications within a healthcare organization are exclusively internal and protected by a firewalled server. It should be noted that communications protected by a firewalled server are not necessarily HIPAA compliant due to the other elements of the Security Rule.

Communications sent by SMS, email and commercially available messaging apps are generally not secure. They can be intercepted in transit and, even if encryption has been added to these channels of communication, copies of messages remain on service providers´ servers indefinitely where they can be decrypted at a later time. Apps for HIPAA compliant text messaging not only send and receive encrypted ePHI so that they are indecipherable if intercepted, but the messages auto-delete after a period of time.

In addition to integrating encryption into apps for HIPAA compliant text messaging, transmission security is assured by mechanisms that prevent the transmission of ePHI beyond an organization´s communications network. ePHI cannot be copied and pasted from a HIPAA compliant texting app or saved to an external hard drive – thus eliminating the risk of a data breach due to the loss or theft of a USB flash drive.

The Risk of Hacking via Personal Mobile Devices

Although hacking does not feature highly on the Office of Civil Rights´ list of the most common reasons for data breaches, the volume of ePHI that can be potentially extracted by a hacker is substantial. Furthermore, the value of a patient´s medical information can be as much as ten times higher than a stolen credit card on the black market – making the installation of malware on a computer system exceptionally lucrative.

Traditionally hackers have targeted their attacks on healthcare servers and mainframe computers; but as IT security has improved, cybercriminals have turned their attentions to more vulnerable mobile devices. Now, by infecting a Smartphone with malware – either via an app, an ad or an unprotected Wi-Fi service – a hacker can access an entire network when the Smartphone connects with it.

As explained elsewhere in this article, apps for HIPAA compliant text messaging only connect with other apps within the organization´s network via an encapsulated communications channel. Any malware or infection that has inadvertently been downloaded onto a personal mobile device cannot be transferred via the secure messaging platform to other authorized users´ Smartphones or the organization´s computer system – preventing the risk of hacking via personal mobile devices.

How a HIPAA Compliant Texting App Works

A HIPAA compliant texting app is practically the same as any other messaging app – such as WhatsApp or iMessage. The apps have a familiar text-like interface and can be downloaded onto any desktop computer or mobile device and work across all operating systems. Like commercially available messaging apps, they can be used to send text or voice messages, and attachments such as images, documents and videos.

The primary difference between commercial messaging apps and apps for HIPAA compliant text messaging is that communications sent via a HIPAA compliant texting app are encapsulated within a private communications network. What this means is that authorized users can only communicate with other authorized users to eliminate the risk of ePHI being accidently or maliciously sent to an unauthorized third party – and to eliminate the risk of a cyberattack.

An example of how a HIPAA compliant texting app works is provided below:

How a HIPAA Compliant Texting App Accelerates Communication

It was mentioned above that apps for HIPAA compliant text messaging have been shown to accelerate the flow of communication. This is a benefit of the security mechanisms implemented to ensure message accountability and certain features on the apps that provide message notifications and read receipts. Combined, these mechanisms and features facilitate the faster exchange of secure messages, reduce the amount of time medical professionals spend playing phone tag, and are responsible for an increase in productivity.

From our case studies:

  • When apps for HIPAA compliant text messaging were introduced at the Limestone Medical Facility, medical professionals saved more than one hour per day checking emails, making calls and playing phone tag – allowing them to deliver a higher level of healthcare to their patients.
  • At the Wellcon medical facility at the Salt Lake County Adult Detention Center, a HIPAA compliant texting app was installed on the facility´s desktop computer. By using the app to escalate patient concerns, the twenty RNs at the facility cumulatively saved 8-12 work hours per day.

The accelerated flow of communication is also apparent in the less time it takes to perform hospital admissions and conduct patient discharges with a HIPAA compliant texting app. The group messaging facility on the app also fosters collaboration without the risk of unauthorized personnel eavesdropping on the conversation, and can be used for such purposes as resolving issues on healthcare invoices with insurance companies.

Resolve Script Errors with Secure Text Messaging

Another drain on time resources that can be eliminated with a HIPAA compliant texting app is the resolution of script errors. In addition to pharmacies being subject to the same conditions for communicating ePHI as healthcare organizations, they are also subject to DEA regulations under the Controlled Substances Act. Consequently, when there is a query over a script, it can be a time-consuming process to confirm the script or make changes to it.

With apps for HIPAA compliant text messaging, a pharmacist can contact a physician quickly and securely to obtain an answer to their query. As is demonstrated in our case studies from Orange County Community Clinics and the Carvajal Pharmacy, the implementation of apps for HIPAA compliant text messaging has resulted in a 50% cut in the length of time it takes to fill scripts – reducing patient wait times and allowing doctors to spend less time on the phone and more time caring for patients.

Secure Text Messaging and Meaningful Use

If your healthcare organization is participating in the Meaningful Use incentive program, secure messaging enables the easy implementation of the Meaningful Use requirements. For example, with a HIPAA compliant texting app, hospital administrators can monitor the journey of medications or confirm an electronic prescription handoff – both requirements of Meaningful Use Stage II.

In Meaningful Use Stage III, one of the new requirements is that electronic notifications of significant healthcare events are sent within four hours to known members of the patient’s care team. Sending the required notifications by SMS or email could potentially result in a data breach; but, with the group messaging facility on a HIPAA compliant texting app, the requirement can be completed quickly and easily with no risk of a breach of ePHI.

Integrating Apps for HIPAA Compliant Text Messaging with an EMR

Further requirements of the Meaningful Use incentive program can be completed when a HIPAA compliant texting app is integrated with an EMR. An “advanced EMR” enables the faster documentation of patient behavior (Stage II) and the tracking of responses to patient generated messages (Stage III). The time-consuming task of data entry can be shared between any members of staff authorized to use a HIPAA compliant texting app. This frees up time for consultants, who can also streamline their workflows via the app on their personal mobile device.

The integration of apps for HIPAA compliant text messaging with EMRs is one which has been shown to benefit patients as well as healthcare authorities and medical professionals. According to a 2015 study by the Tepper School of Business at the Carnegie Mellon University – “Saving Private Ryan” – researchers identified an overall reduction of 27% in patient safety issues when apps for HIPAA compliant text messaging were integrated with EMRs in two hundred hospitals throughout Pennsylvania.

Other Benefits of Secure Messaging

As well as being an efficient and secure means of communicating ePHI, apps for HIPAA compliant text messaging have been used as part of an emergency disaster plan when a two-hour power outage struck the answering service provider for Optimal Health Services in California. The apps were also used to advise hospital staff at the Inova Fairfax Hospital that the facility was on lockdown when emails would not have conveyed the message in an appropriate timeframe.

One area that has not been discussed thus far is cost. As secure messaging solutions operate through cloud-based platforms, there are no hardware purchases required or complicated installations of software needed. The apps for HIPAA compliant text messaging are free to download and the only cost that a healthcare authority will incur is the operating cost – found in a study conducted by HIMSS Analytics to be 40% cheaper than operating a pager messaging system.