Secure Texting for Physicians

A Solution to a Major Security Issue

Secure texting for physicians is a solution to a major security issue potentially facing many healthcare organizations. Various studies have reported that more than 80 percent of physicians use personal mobile devices to support their workflows – exposing healthcare organizations to liability for a data breach if a communication containing PHI is compromised due to a failure to comply with HIPAA security guidelines.

Furthermore, many personal mobile devices could be infected with malware from an app, an ad or an unprotected Wi-Fi service. The malware could be transmitted onto a healthcare organization´s server and create a gateway for a hacker to extract PHI at will. Although the number of data breaches due to the unauthorized disclosure of PHI from a mobile device is more than double that of those due to hacking, the number of records that can be obtained in a single hack can run into the millions.

Assessing the Risk of a Data Breach

One more recent study into mobile device use found that 44 percent of physicians used a personal mobile device to liaise with colleagues about patient healthcare. The 2013 Wolters Kluwer research did not elaborate on whether the communication was conducted by voice, text or email; but, aware of physicians´ preference for email, it is likely that a significant volume of communication was not in compliance with HIPAA.

The issue with email – and SMS messaging – is that it allows unauthorized access to PHI in a number of scenarios:

  • Unencrypted emails can be intercepted on open Wi-Fi and 3G networks.
  • Copies of emails and SMS messages remain on service providers´ servers indefinitely.
  • A misdirected email cannot be recalled if sent to the wrong recipient.
  • There is no audit trail created when an email is forwarded.
  • The content of an email can be modified without the physician´s knowledge.

Unfortunately encryption for emails is not a practical answer. Every recipient of an email would have to have a decryption key that works on their particular operating system, and other requirements within the HIPAA Security Rule may still be unfulfilled – such as email accounts must have automatic logoff after a period of inactivity. Many medical professionals also fail to use passwords on their mobile devices – increasing the risk of a data breach if the mobile device is lost or stolen, or left unattended for any length of time.

Replacing Emails with Secure Texting for Physicians

The most practical solution to the issue of HIPAA compliance and mobile device security is secure texting for physicians. Secure texting for physicians works in exactly the same way as Instant Messaging, only with the required mechanisms in place to prevent unauthorized access to PHI. With secure texting for physicians, medical professionals have the same functionality as with emails inasmuch as they can include attachments to liaise with colleagues about patient healthcare and cc in other colleagues if they want to engage in a group discussion.

Secure texting for physicians is conducted via secure messaging apps that can be downloaded onto any desktop computer or mobile device and work across all operating systems. The physician needs to log into the app each time he or she wants to use it, and will be logged off automatically after a period of inactivity. The only two other differences from emailing is that secure messages can be set to auto-delete after a period of time and the app will only connect the physician to other authorized users in the healthcare organization´s network.

Because of the way the network is set up, any software infections or malware that have been installed onto the mobile device will not be transmitted onto the healthcare organization´s database – even if the mobile device is integrated with the organization´s EMR, as all access to the EMR is restricted to via the secure messaging app. Secure texting for physicians thus eliminates the risk of a data breach both through non-compliance with HIPAA and from the risk of hacking.

The Benefits to Physicians of Secure Texting

The primary benefit of secure texting for physicians is that the mechanisms to ensure message accountability substantially reduce phone tag. Phone tag is the time-wasting process of trying to contact another medical professional, leaving them a message and then missing their return call. It is frustrating for everybody involved and costs the healthcare industry billions of dollars each year in lost productivity.

With secure texting for physicians, medical professionals receive a notification that a message is waiting to be read – even when they are not logged into the secure messaging app. Once the app is opened, the sender of the message receives a delivery notification, and a read receipt once the message has been read. All messages are timestamped and archived on a cloud-based platform to ensure that a record of the message remains whether it is deleted by the recipient or auto-deleted once read.

Due to all messages being encrypted and contained within a healthcare organization´s network, messages can be sent or received in any location and there is no risk of a misdirected text message being received by a person not authorized to access PHI. This means that physicians can receive PHI on the go – a crucial element of a physician´s work if they are an on-call physician, a first response physician or a community physician who may otherwise delay the treatment of a patient while waiting for the patient´s notes.

EMR Integration Delivers Further Benefits

The integration of secure texting for physicians with an EMR provides numerous opportunities for additional benefits. With the appropriate authorization, nursing staff and other medical professionals can update patient notes from their Smartphones and document patient behaviour (a requirement of Meaningful Use Stage II).

EMR alerts can be filtered from a personal mobile device so that physicians can streamline and prioritize their workflows, and test results can be sent directly to the EMR where they can be reviewed by the physician. Physicians can liaise with pharmacists to confirm prescriptions or resolve inaccuracies, monitor the journey of medication and confirm an electronic prescription hand-off (another requirement of Meaningful Use Stage II).

In Meaningful Use Stage III, one of the requirements for an incentive payment is that known members of the patient’s care team must be notified electronically of a significant healthcare event within four hours. Sending the required notifications by SMS or email could potentially result in a data breach. By using the group messaging facility, physicians can complete the requirement quickly and easily, with no risk to the integrity of PHI.

Developing a Texting Policy for Physicians

Although the HIPAA Privacy Rule gives physicians certain exemptions from the conditions that must be in place before texting PHI (for example texting PHI to a patient), it is still necessary for healthcare organizations to develop, implement and enforce a secure texting policy for physicians. The policy should set the guidelines for the “Minimum Necessary Standard”, explain the procedures for communicating PHI by text, and the sanctions that will be applied if the policy is not adhered to.

The purpose of having a policy is so that every physician refrains from actions that may result in the unauthorized disclosure of PHI, and so that every physician is aware of what to do and who to contact if a breach of PHI accidently occurs. As was mentioned at the beginning of this article, healthcare organizations may be exposed to a significant financial penalty for a data breach if a communication containing PHI is compromised due to a failure to comply with HIPAA security guidelines.

There is no typical HIPAA texting policy for physicians, as no two healthcare organizations are the same. Each healthcare organization should determine the most appropriate guidelines to ensure compliance, taking into account the characteristics of the organization and its environment. The development and implementation of a policy for secure texting for physicians will reflect the healthcare organization´s size, the nature of its business and the vulnerabilities identified in the risk assessment.

Sanctions for Failing to Adhere to a Texting Policy

Naturally there are times when a texting policy will be forgotten in a moment when a patient´s life is in danger or a physician is under significant stress. Consequently the sanctions for failing to adhere to a texting policy should take into account mitigating circumstances, yet consider appropriate actions for the deliberate unauthorized disclosure of PHI or repeat offenders. Ideally there should be a minimum of three categories of offense:

  • Category A offenses – the least serious – would include sharing login codes, modifying PHI without authorization, and texting PHI to a colleague not authorized to access PHI.
  • Category B offenses might include the accidental disclosure of PHI, using a colleague´s login to send a message or the repeat of a Category A offence.
  • Category C offenses would include using or disclosing PHI for commercial advantage, personal gain or malicious harm. Repeat Category B offenders might also be sanctioned under a Category C offense.

The sanctions for failing to adhere to an organization´s policy for secure texting for physicians should vary from a reprimand to the termination of employment for more serious offences. When there are likely to be serious financial consequences for a healthcare organization due to the deliberate actions of a physician, it might also be necessary to start civil or criminal proceedings against the physician.

Speak with TigerText about Secure Texting for Physicians

TigerText is a leading provider of secure texting solutions for the healthcare industry. We design our products to comply with all the regulatory demands of HITECH and HIPAA, to cope with future changes in working practices and advances in technology. With TigerText, secure texting for physicians is quick to establish, easy to implement and simple to understand.

Already more than 5,000 healthcare facilities use TigerText to ensure compliance with HIPAA and to protect PHI from unauthorized disclosure. With secure texting for physicians, TigerText fosters collaboration, reduces costs and increases productivity. Already more than 5,000 medical facilities have implemented TigerText, including the Memorial Hospital of Gulfport.

According to MHG´s Vice President and Chief Information Office Gene Thomas: “Prior to using TigerText, our physicians would get a page and were unsure if that page was urgent — they had to make a phone call to find out. In many of these instances, the reason for paging was not urgent, and staff­ could’ve continued caring for a patient and responded later. With TigerText, we don’t have that issue. We have the information we need instantly. Since deployment, we’ve not only significantly improved our response times and workflow efficiencies, but from a cost savings perspective, we’re saving hundreds of thousands of dollars using TigerText.”

If you would like to know more about secure texting for physicians from TigerText – or about any of the points raised in this article – you are invited to contact us and request a free demonstration of TigerText in action. Our team will be happy to answer any questions you may have about how TigerText might be an effective replacement for unsecure emails in your healthcare environment and how you can achieve cost savings similar to MHG by implementing secure texting for physicians.

2014-privacy-security-breaches