HIPAA Texting Policy
Why You Should Have a HIPAA Texting Policy
A HIPAA texting policy is just one of a number of policies that should be developed, implemented and enforced in order to comply with the Health Insurance Portability and Accountability Act 1996. The policy for texting in compliance with HIPAA should establish the conditions under which it is appropriate to communicate Protected Health Information (PHI) by text, the acceptable method(s) for communicating PHI by text, and the sanctions that will be applied if the policy is not adhered to.
The purpose of having a policy for texting in compliance with HIPAA is so that every employee and Business Associate refrains from actions that may result in the unauthorized disclosure of PHI. The financial penalties for a breach of PHI can be substantial; so it is vital that every covered entity has HIPAA texting rules in order to prevent PHI being accidently or maliciously disclosed. It is also something HIPAA audit inspectors will look for when the OCR conducts its next round of audits.
Breaches of PHI and their Consequences
Data breaches are big business. It has been estimated that health records are worth ten times more on the black market than credit cards due to health records being used to create false identities and obtain free healthcare. Mostly only the largest breaches of PHI attract national headlines (Anthem, Premera Blue Cross, Excellus Health, etc.), but – in 2014 – the unauthorized disclosure of PHI not associated with hacking accounted for 30.7 percent of the patient health records breached.
Many covered entities will be aware that increased financial penalties for a breach of PHI were introduced in the Final Omnibus Rule of 2013. But how many are aware of the other consequences of a breach of PHI? Our infographic below illustrates what the real cost of a data breach may be, and why a policy for texting in compliance with HIPAA should be on the top of every healthcare organization´s agenda:
Prior to Developing a Policy for Texting in Compliance with HIPAA
Prior to developing a policy for texting in compliance with HIPAA, covered entities should conduct a risk assessment in order to identify where a breach of PHI might occur within their organizations and to detect any security vulnerabilities. Various tools are available from the Department of Health and Human Services to encourage covered entities to comply with this requirement of the HIPAA Security Rule – which is also a requirement of the Meaningful Use incentive program.
Any weaknesses that are identified should be addressed with the most appropriate measures to prevent the unauthorized disclosure of PHI. In certain circumstances this will involve a complete overhaul of the way in which PHI is communicated within an organization in order to comply with the administrative, physical and technical requirements of the HIPAA Security Rule. Depending on the nature of healthcare service provided by the covered entity, the changes required may be substantial.
What Should be Included in an Organization´s HIPAA Texting Guidelines?
There is no “one-size-fits-all” HIPAA texting policy, and each covered entity should determine the most appropriate HIPAA texting guidelines to achieve compliance – taking into account the characteristics of the covered entity and its environment. The development and implementation of HIPAA texting guidelines will reflect the nature of the covered entity´s business, its size, and the weaknesses identified in the risk assessment.
Typical elements of a policy for texting in compliance with HIPAA include:
- The circumstances in which PHI can be communicated
- Whether it is necessary for the communication to be encrypted (*)
- How the “Minimum Necessary Standard” should be applied
- What devices and channels can be used to communicate PHI by text
- Whether or not a Privacy Statement needs to be included in the communication
- The procedure for reporting misdirected text messages
- Any other special circumstances that may apply
- Special exceptions to the above
(*) The encryption of text messages in an “addressable” requirement of the HIPAA Security Rule. This effectively means that unless the text communication is between a doctor and patient, or it is maintained within an internal communications network that is protected by a firewalled server, the encryption of all text messages containing PHI is necessary.
Sanctions for Failing to Adhere to HIPAA Texting Rules
The importance of adhering to HIPAA texting rules should be communicated to all employees authorized to access PHI. They should be made aware that the creation, modification and transmission of PHI is monitored and an audit trail created. Although the enforcement of sanctions is not a pleasant task, if employees are aware of what penalties exist for failing to adhere to the HIPAA texting rules, there can be no complaints should an accidental or malicious breach of PHI occur.
Typically, non-adherence with the HIPAA texting rules is broken down into three classes of offence:
- Class I offenses include accessing PHI without authorization, sharing login codes, amending PHI without authorization, texting PHI to an employee not authorized to access PHI, and failing to cooperate with a Privacy Officer.
- More serious Class II offenses include the unauthorized use or disclosure of PHI, using another employee´s login code or – depending on the level of risk a Class I offense created – Class II offences could include the repeat of a Class I offence.
- Class III offenses would include obtaining PHI under false pretenses and using or disclosing it for commercial advantage, personal gain or malicious harm. Repeat Class I and Class II offenses could also be included as a Class III offense – again, subject to the level of risk.
The sanctions for failing to adhere to an organization´s HIPAA texting rules can vary from a reprimand and retraining for lesser offences, to the termination of employment for more serious offences. When there are serious consequences to a covered entity due to the actions of an employee, it might also be necessary to instigate civil or criminal proceedings against the employee.
What if the Mechanisms are Not in Place to Support a HIPAA Texting Policy?
Without the other requirements of the HIPAA Privacy and Security Rules being in place, a HIPAA texting policy is superfluous. Some of the administrative, physical and technical requirements of the Security Rule have already been discussed – encryption, monitoring, audit trails and login codes – but without all the elements of HIPAA being in place, a policy for texting in compliance with HIPAA is unenforceable and the covered entity is exposed to the risks of a data breach.
The risk of a data breach has never been greater. Due to the increased use of personal mobile devices in the workplace, covered entities are exposed to risks and vulnerabilities every day. All it takes is one misdirected text message, the interception of an unencrypted text message over an open Wi-Fi service, or a stolen Smartphone for a breach of PHI to take place. Rarely is the blame for the data breach attributed to an individual. The OCR will regard the healthcare organization or other covered entity liable for failing to implement a HIPAA texting policy.
The lack of a HIPAA texting policy can also allow cybercriminals access to a covered entity´s database. In the past, hackers targeted their attacks on servers and mainframe computers. However, Smartphones and other mobile devices are now seen as easier targets and, by infecting a Smartphone with malware, a hacker can access an entire network when the Smartphone connects with it, and extract data at will.
How Secure Messaging Solutions Mitigates Risks
Some covered entities have chosen to implement a secure messaging a solution in order to mitigate the risks of a data breach – either through non-compliant text messaging or due to the efforts of a cybercriminal. Secure messaging is a method of communication that operates in a similar way to Instant Messaging, only with security features in place to enable compliance with HIPAA and prevent attacks from outside sources. The solutions are easy and inexpensive to install and operate, and help covered entities fulfil the requirements of the HIPAA Security Rule.
Secure messaging solutions work via secure texting apps. These can be downloaded and installed onto any desktop computer or mobile device – thus making them suitable for covered entities that promote BYOD policies. The apps only allow authorized users to text other authorized users within the covered entity´s network, eliminating the risk of misdirected text messages and preventing an infected Smartphone from transferring its malware onto a covered entity´s database.
Other areas in which a secure messaging solution can resolve issues surrounding HIPAA compliance include:
- All authorized users are assigned a unique username and PIN number to ensure ID authentication and message accountability.
- All text messages communicated through the secure texting apps are monitored and an audit trail created.
- Secure text messages are archived in a cloud-based platform where they cannot be amended or modified without authorization.
- Message lifespans are assigned to messages so that they automatically delete after a predetermined period of time.
- Automatic logoff prevents the unauthorized disclosure of PHI when a desktop computer or mobile device is left unattended.
- Administrators have the ability to remotely wipe and PIN-lock a secure texting app if the device onto which it has been installed is lost or stolen.
With a secure messaging solution in place, risk assessments find fewer vulnerabilities, making it easier for administrators to compile a policy for texting in compliance with HIPAA. As it is much harder to create a scenario in which a breach of PHI might accidently occur, it is easier for employees to adhere to HIPAA texting guidelines, and there will be fewer instances of sanctions being applied for breaking the HIPAA texting rules – reducing the workloads of administrators and HR departments.
The Advantages of Secure Messaging Solutions
In addition to providing the necessary mechanisms around which a HIPAA texting policy can be developed, implemented and enforced, secure messaging solutions have many advantages for covered entities, medical professionals and patients.
Possibly the most noticeable benefit of secure messaging solutions is the way in which they accelerate the flow of communication. Having the same functionality as Instant Messaging apps, SMS and email, authorized users can send text messages, documents, test results, images and videos with the same speed and convenience as an unsecure messaging system. However, due to the mechanisms in place to ensure message accountability, the amount of time medical professionals play phone tag is substantially reduced.
- When a secure messaging solution was implemented at the Concordia Lutheran Ministriesmedical facility in Pennsylvania to streamline team communication, offsite staff members could be contacted with the assurance that the secure text messages were being received, saving hours each day and increasing productivity.
- A similar situation occurred at the Wellcon medical facility at the Salt Lake County Adult Detention Centerwhen a secure messaging solution was implemented. With message delivery assured and acknowledged, the twenty RNs at the facility cumulatively saved 8-12 work hours per day waiting for replies – enabling them to see fifteen more patients per day.
The accelerated flow of communication also increases the efficiency of healthcare processes such as hospital admissions and patient discharges when the group messaging facility is used. When a secure messaging solution was implemented at North American Medical Management, the organization streamlined group communications and the patient discharge process with such efficiency that thirty inpatient bed days were eliminated each month.
Confirm Prescriptions with Secure Messaging
There are many further examples of how secure messaging helps to streamline workflows and increase productivity among our case studies; however one particular time-consuming scenario that can be resolved with secure messaging deserves a particular mention of its own – the confirmation of prescriptions.
Confirming prescriptions and resolving errors is a major drain on resources for pharmacists and doctors. It can also be a source of frustration for patients who have to wait while these issues are resolved. With a secure messaging solution it is possible to cut the time it takes to fill scripts by 50% – as was demonstrated at Orange County Community Clinics and the Carvajal Pharmacy.
Both of these medical facilities are not only subject to HIPAA regulations, but also DEA regulations under the Controlled Substances Act. With a secure messaging solution – and a HIPAA texting policy to guide employees on when to use it – both of these facilities can benefit from accelerated communications without the risk of a data breach, while doctors can spend more time caring for patients.
Secure Messaging and the Meaningful Use Incentive Program
It has already been mentioned that the compilation of a risk assessment is a requirement of the Meaningful Use incentive program. It may be of value to healthcare organizations to know that other requirements of the incentive program can be adhered to with a secure messaging solution – for example, the Stage II requirement that the journey of medications can be monitored via a secure messaging app.
A new requirement in Meaningful Use Stage III is that electronic notifications of significant healthcare events are sent within four hours to known members of a patient’s healthcare team. Sending the required electronic notifications by email or SMS could result in a violation of HIPAA and of an organization´s HIPAA texting guidelines. With the group messaging facility on secure messaging system, the Stage II Meaningful Use requirement can be conducted quickly and easily with no risk of a data breach.
The Importance of HIPAA Texting Guidelines for EMR Integration
The importance of HIPAA texting guidelines when a secure messaging solution is integrated with an EMR cannot be understated. The integration of a secure messaging solution – or any remote access to an EMR – creates new risks and exposes a greater amount of PHI to the risk of a data breach.
Undoubtedly there are substantial benefits of allowing authorized users to access an EMR from a personal mobile device. The faster documentation of patient behavior (a requirement of Meaningful Use Stage II) and the tracking of responses to patient generated messages (a requirement of Meaningful Use Stage III) can both be managed remotely, and physicians can streamline their workflows by sorting EMR alerts into priority from the secure messaging app.
The integration of a secure messaging solution with an EMR has been shown to reduce medication errors and patient safety incidents, and the cloud-based secure messaging platform can be used as part of an emergency disaster plan – as was the case when a two-hour power outage struck Optimal Health Services and authorized users were able to channel the facility´s answering service through their personal mobile devices.
Talk with TigerText about HIPAA Texting Rules
TigerText is one of the country´s leading vendors of secure messaging solutions. More than 5,000 HIPAA covered entities – including four of the top five largest for-profit health systems in the country – use TigerText to comply with the Security and Privacy Rules, and naturally we have helped many of them compile their HIPAA texting guidelines.
TigerText helps healthcare organizations to comply with HIPAA, prevent data breaches, and mitigate mobile security risks. More than that, our secure messaging solutions increase productivity, streamline workflows and enhance the standard of healthcare provided to patients – at a 40% lower cost than pager systems according to a study conducted by HIMSS Analytics.
If you would like to know more about TigerText´s secure messaging solutions – or have questions about HIPAA texting guidelines – please do not hesitate to contact us and request a free demonstration of TigerText in action. The demonstration will likely help you identify any weaknesses in your current system of communications and help you to decide what elements should be included in a HIPAA texting policy.