Monday, March 17, 2014

Secure Text Messaging in a HIPAA World? Part II

In an earlier post, I referred to mobile applications such as TigerText and Doc Halo which are being touted as a method of “HIPAA-compliant” texting. These apps allegedly secure protected health information (PHI) sent via text message to ensure providers’ compliance with HIPAA privacy law. Covered entities must realize, however, that the use of these apps alone is not sufficient to pass a HIPAA audit. While HHS has not banned the texting of patient information, it has made clear that an organization should approve it only after “performing a risk analysis or implementing a third-party messaging solution that incorporates measures to establish a secure communication platform that will allow texting on approved mobile devices.”

HHS has identified five steps to help organizations manage mobile devices in a health care setting:

  1. Decide whether mobile devices will be used to access, receive, transmit, or store patients’ health information or will only be used as part of your organization’s internal networks or systems (e.g., your EHR system);
  2. Consider how mobile devices affect the risks (threats and vulnerabilities) to the health information that your organization holds;
  3. Identify your organization’s mobile device risk management strategy, including privacy and security safeguards;
  4. Develop, document, and implement the organization’s mobile device policies and procedures to safeguard health information; and
  5. Conduct mobile device privacy and security awareness and training for providers and professionals.

Keep in mind that HHS does not require specific technology solutions, but rather allows covered entities to determine what is reasonable and appropriate for their individual organization. The following are only some of the measures that may be used to protect PHI sent via text messaging:

  1. Automatic Logoff;
  2. Encryption/Decryption;
  3. Passcode protection;
  4. Registration of devices; and
  5. Secure disposal of devices.

TigerText, one of the leaders of “secure messaging” in health care environments, is now used in over 3,000 facilities. The company’s website touts that since implementing the use of its app, Carvajal Pharmacy is filling prescriptions 50% more quickly, and Wellcon is seeing 15 more patients per shift. With statistics like these, it is hard to deny the benefits that texting can provide. Still, providers and staff must understand the risks involved and strictly adhere to a set compliance policy. A text can be sent in an instant, but the potential damage associated with the release of information that it contain can last much longer.

Anne-Tyler Morgan
atmorgan@mmlk.com
McBrayer, McGinnis, Leslie & Kirkland, PLLC
Lexington, Kentucky

No comments:

Post a Comment