Friday, March 14, 2014

Secure Text Messaging in a HIPAA World?

Texting is becoming an increasingly acceptable form of communication in the business world.  But can it be relied upon in the health care industry? There are numerous advantages to texting in the fast-paced world of health care. In an environment where time is of the essence, voicemails and pagers can slow down providers’ care and fail to convey adequate information. A text, on the other hand, is both immediate and can be detail-specific. In addition, texting can involve more than one sender and/or receiver in a closed-loop conversation, and, unlike through the paging system, a sender can be notified when the message has been read by the receiver(s). Text messaging can not only improve an entity’s efficiency, but it can also serve as a way to connect easily with patients, thereby improving quality of care.

With every rose, however, there is a thorn. And texting’s thorn is the threat of HIPAA violations when transmitting protected health information (PHI).  HIPAA does not expressly prohibit texting to communicate health information, but it does require a system of physical, administrative, and technological safeguards that ensure the privacy and security of PHI communicated through texts.   In other words, texting can be an acceptable form of communication between providers (and even providers and their patients), but only if appropriate precautions are taken.

Traditional SMS text messages (the kind sent from one mobile device to another) are generally unsecure for numerous reasons:

  • They lack encryption;
  • It is easy to send a text to an unintended recipient (i.e., wrong number);
  • Wireless carriers may retain message and usage data on their servers;
  • Because text messages are sent and received in “plain text”, they may be intercepted and read by third parties; and
  • Phones containing stored messages may be lost or stolen.

Realizing the risks that traditional text messaging presents in the health care setting, some companies have created so-called “HIPAA-compliant,” secure text messaging applications. Doc Halo, TigerText, and Sprint Enterprise Messenger are just a few examples. Promoting these apps as “HIPAA-compliant” is a dangerous assertion because, as noted above, HIPAA compliance is a system of safeguards – not one feature of a particular app or device. If covered entities do approve staff and provider text messaging (whether internally, with patients, or both), the risks must be considered as part of the organization’s HIPAA compliance analysis. Check back for more information on how to evaluate the pros and cons of texting in the health care industry.

Anne-Tyler Morgan
atmorgan@mmlk.com
McBrayer, McGinnis, Leslie & Kirkland, PLLC
Lexington, Kentucky

No comments:

Post a Comment