Unencrypted Healthcare Communications Violates HIPAA Rules
Two healthcare professionals have recently discovered that the use of unencrypted healthcare communications violate HIPAA Rules for Privacy and Security, as they do not incorporate the protections that are required by HIPAA to safeguard Protected Healthcare Information (PHI).
The latest mobile phone HIPAA violation occurred when a doctor was visiting a nursing home patient, but he did not have the patient’s medical test results with him. To save time and prevent a wasted visit, the physician requested a nurse send him the results via SMS message.
The SMS message was sent, the doctor received the test results, the patient received the medical care needed and both healthcare professionals violated HIPAA regulations. As convenient as Smartphones and mobile phones are, they are not a secure communication channel. Messages sent over unencrypted networks can all too easily be intercepted and there is also no guarantee that the intended recipient of the message will be the person that actually views that message.
The HIPAA violation resulted in the nursing facility being issued with an E-class deficiency by the Centers for Medicare & Medicaid Services (CMS). In this case no harm was caused and the unencrypted text messages did not result in a breach of healthcare information, but this may not always be the case.
As a result of the deficiency, the nursing facility is required to adopt a 10-point Directed Plan of Correction (DPOC) to update policies and procedures to prevent future HIPAA violations. The plan must be put in place immediately and the nursing facility has been given 15-days to bring policies and procedures up to the standard demanded by HIPAA.
The CMS can issue much more severe penalties for violations of patient privacy, although in this case because no harm appears to have been caused, the nursing facility was only required to implement an action plan. Under this action plan, the nursing facility must appoint a HIPAA compliance officer – there was no dedicated official overseeing the implementation of HIPAA Rules – and new policies must be put in place rapidly. The center is also required to conduct a new round of staff training to make sure that HIPAA Rules are fully understood and the staff is aware of its responsibilities to keep PHI secure and confidential.
It has been stipulated that the training must be conducted by a HIPAA expert, and that a person from outside of the company must be recruited to perform the training. Staff must be advised of the rules covering the disclosure of PHI and all training needs to be provided face to face. The DPOC also requires the facility to implement a plan to deal with security emergencies in accordance with the HIPAA Breach Notification Rule.
The use of unencrypted text messages in healthcare is a serious problem, and one that is growing rapidly. According to a recent study published in Telemedicine and eHealth, mobile phone HIPAA violations are occurring with increasing frequency. The survey was conducted on 97 pediatric medical professionals who were asked about the use of unencrypted healthcare communications at their place of work. Alarmingly, 60% of the survey participants admitted that they had, on at least one occasion, sent an unencrypted SMS message on work matters, while 30% reported having received Protected Health Information via text messages.
Text messages offer healthcare professionals a number of benefits, but unless a secure messaging system is used that encrypts each SMS message, most unencrypted healthcare communications violate HIPAA Rules.