HIPAA Text Messaging Rules
HIPAA Compliance Regulations: Texting & Secure Messaging
Clear clinical communication is what keeps patients safe from medical mistakes, however, the advent of texting created some new problems for the healthcare industry. Text messaging is an easy way to reach physicians and nurses without having to know where they are or what they are doing – they can always be reached even if they are with a patient. But basic texting means information is not encrypted and that patient Protected Health Information (PHI) is vulnerable – clinicians are not within HIPAA compliance regulations.
To get around this, many clinicians would send “coded” messages to one another – “Patient in 300 needs pain meds,” or “Mrs. J needs to see a cardiologist.” However, with the number patients being cared for by clinicians, so-called “coded” secure messaging often creates more confusion – leading to mistakes.
In 2011, The Joint Commission determined that it was unacceptable to send text messages regarding patient care due to the concern about patient privacy. However, in 2016 they agreed that texting patient information was acceptable if it was done via secure messaging systems. Secure messaging applications that follow HIPAA compliance rules means clinicians are able to text each other using actual names and clear patient identifiers. Through secure messaging applications that follow HIPAA compliance rules, clinicians are now able to text each other using actual names and clear patient identifiers.
What can health systems do to make sure texting is in compliance with HIPAA rules?
Devices & Security
It’s not just the increase in cyberattacks and ransomware that health systems must manage. Due to the sensitive nature of patient PHI, IT departments are responsible for various types of security on devices including multi-layer user authentication and authorization, and sometimes even biological authentication, to ensure patient PHI remains safe.
New devices, from cellphones, tablets, laptops and PCs, come out every year. Health systems are faced with staff who use a wide range of operating systems capable of handling tasks of varying levels—and those devices come with different vulnerabilities. Providers most often use their own devices (a BYOD – bring your own device policy) while clinicians and health system support staff are supplied health system devices. This requires that the IT department manage both internal and external devices.
Clear security expectations regarding password structure and length, lock settings, and mobile device management must be relayed to clinicians using smart devices. If a device is misplaced or stolen, the IT department will need to wipe the date from the phone to ensure no patient PHI is revealed. However, using a secure messaging system that keeps all patient information within the app itself makes it easier to manage, and would not require removing all data from the device – particularly important for providers using their own devices.
Health systems should subscribe to the security bulletins for their device manufacturer as well as the operating system specifically, so the security team is alerted when an exploit does come to the surface. Patches can be quickly downloaded, or the problem can be blocked before it infiltrates the health system. IT departments must be vigilant about device updates for both health system and BYOD devices.
Health systems must also set parameters around which apps are safe to download by users and which are not. By providing clinicians with mobile devices and text messaging apps that are within HIPAA compliance, IT departments can stay ahead of security issues.
Security of the Cloud
The benefits of cloud computing, particularly for HIPAA compliant secure messaging, are many. Cloud computing makes it far easier to archive and access patient records and medical images. The cloud makes it easier for healthcare providers to collaborate and deliver care. It also saves money by minimizing the need for in-house infrastructure and IT support.
Benefits aside, many healthcare organizations still have trepidation over moving to the cloud due to concerns about uptime and security. In the early days, as the cloud was evolving, some of those concerns may have been valid. Today, cloud-based solutions are, by and large, more secure than locally deployed solutions. Large financial institutions, huge retailers and even the federal government are using cloud services.
Cloud providers, like Amazon Web Services (AWS), guarantee that customer data is encrypted, backed up and easily recoverable, and secured with strict access controls. In fact, cloud-based applications and services are subject to far more scrutiny and operational process rigor than most on-prem solutions. Many cloud providers offer healthcare-specific services that meet HIPAA compliance and HITECH regulations. Security vulnerability scanning and 24/7 monitoring for unwanted network access are now standard offerings of cloud providers, making text messaging apps even more secure.
Don’t Forget Call Centers
Many health systems overlook call centers when implementing secure messaging. Instead, the focus is on nurses, physicians and other clinical staff. But call centers, whether on premise or through an after-hours service, are often the heart of communication with clinical staff, especially when passing important patient information to physicians.
Call center policies will normally state that patient information cannot be sent via unsecured platforms, but it is widely known that this is still happening. Employees at health systems want to be efficient and expedite patient care, so they often work around these policies by texting – which is outside of HIPAA compliance unless they are using a secure messaging platform.
Traditionally, call centers receive a call from a physician, nurse, patient, or family member. Operators would then contact the doctor or intended recipient via direct phone call, which is HIPAA-compliant, or through a page. A page would simply read something like, “You have a message, please contact the call center.” However, many operators send patient names, conditions and questions through the page (or unsecure texting) in an effort to provide information in real-time.
Why aren’t pagers HIPAA-compliant? Paging messages are sent over specific radio frequencies, which can be easily intercepted and hacked. Because pagers were designed before the emergence of cybersecurity, they were not set up to require encryption or authentication of any sort. As use of pagers begins to decrease in favor of smart devices – particularly with smartphones used by providers – texting has become the preferred way to communicate. But unless call centers are using secure messaging to reach providers, they are not in HIPAA compliance.
Is texting in compliance with HIPAA rules? Yes – with the right secure messaging app! Technology has evolved beyond simple texting to secure messaging that is encrypted for HIPAA compliance. This enables secure messaging to address one of the most fundamental needs in healthcare: accurate, real-time communication that improves patient care.