by Gracie Awalt, Marketing Assistant
Studies show “four-out-of-five physicians and three-out-of-four nurses use a personal Smartphone to support their workloads.” 1 With this in mind, it is imperative that physicians learn how to send text messages to patients and colleagues without violating the Health Insurance Portability and Accountability Act (HIPAA).
What is the HIPAA Security Rule?
When HIPAA was enacted in 1996, it required Health and Human Services (HHS) to publish standards to ensure the secure exchange of electronic protected health information (ePHI). 2
“Protected health information” refers to any individually identifiable information relating to the past, present, or future health status of an individual, and includes personal identifiers such as names, phone numbers, email addresses, vehicle identifiers, and photographic images.3
In February 2003, these standards were published within the Security Rule. The Rule specifies administrative, technical, and physical security procedures to assure the confidentiality, integrity, and availability of ePHI.2
At that time, HHS could not have predicted the impact of the release of the first Smartphone in 2007.
“HIPAA was written originally in 1996, and there have been some revisions along the way, but the word ‘texting’ does not appear in the HIPAA law anywhere,” says Cathy Bryant, Manager of Cyber Consulting Services at TMLT. “The last major revision to HIPAA was 2013, and it did not address any of the Security Rule.”
Bryant says that even before Smartphones were introduced, HIPAA was not keeping up with the rate of technological advances. She is unsure when an updated revision to HIPAA will address secure texting practices directly.
A goal of the Security Rule is to protect the privacy of individuals’ health information, while allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care.2
According to the Security Rule, covered entities must:
- “Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit;
- Identify and protect against reasonably anticipated threats to the security or integrity of the information;
- Protect against reasonably anticipated, impermissible uses or disclosures; and
- Ensure compliance by their workforce.”2, 4
Physical and technical safeguards
The HIPAA Security Rule includes the following requirements.2
- Device security — a covered entity must have policies and procedures controlling the transfer, removal, disposal, and re-use of electronic media, to ensure appropriate protection of e-PHI.
- Access control — a covered entity must have technical policies and procedures that allow only authorized persons to access e-PHI.
- Audit controls — a covered entity must have hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI.
- Integrity controls — a covered entity must have policies and procedures to ensure that e-PHI is not improperly altered or destroyed. Electronic measures must be put in place to confirm that e-PHI has not been improperly altered or destroyed.
- Transmission security— a covered entity must have technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network.2
Common misconceptions
The HHS’ Office for Civil Rights (OCR) found incidents of unauthorized access and disclosure of PHI to be the second main cause of security breaches in 2018.5
Brian Dittmar, senior claims manager for TMLT, has worked in the Claims Department for 26 years handling claims for TMLT policyholders. He says texting is like any other form of communication with a patient, and physicians should preserve all communications in a patient’s chart.
“If a lawsuit is filed against the doctor, there will be a request for discovery, requiring that the doctor produce all communications with the patient, which includes text messages,” Dittmar says.
He says some doctors hold the misconception that texting is a form of informal communication, meaning it does not need to go on the patient’s record.
“It does,” Dittmar says. “Any patient communication needs to go in the patient record. I think that’s the biggest challenge for some doctors.”
Cathy Bryant answers HIPAA and medical privacy questions from TMLT policyholders. She says there are several other misconceptions about texting.
Many physicians assume texting with their Smartphones is secure, but that is not always true. Often, physicians argue that it is okay to text other physicians and patients with iPhones because Apple encrypts all phone information. Bryant says that although this is true, not all Android phones enable encryption automatically when manufacturing the phones, adding a level of uncertainty when texting sensitive information to others.
“It's just better to go with secure apps,” Bryant says. “It’s the best way. You know they are secure, plus if there were ever a breach caused by that third-party app, your business associate agreement is going to protect you. They're going to have some responsibility, since they’re the app developer.”
When messages are deleted from a phone, the messages are still stored with the phone provider. Bryant also says physicians underestimate which information, besides name and date of birth, qualify as HIPAA identifiers, and this information is commonly communicated over text.
Bryant suggests that physicians encrypt their phones regardless of the circumstances.
Although texting becomes complicated within the context of HIPAA, there are some situations where texting is necessary. Bryant described a physician who primarily treated deaf or hearing-impaired patients and found these patients preferred to communicate over text.
“We actually found a secure app that let him use their platform to communicate with his patients, even though that's not what it was designed for, because he had a very small practice,” Bryant said. “I thought it was impressive that he had a specific need, and they responded to it.”
The secure solution
Using a secure messaging app ensures compliance with HIPAA. There are many privately-created, HIPAA-compliant apps to choose from. Before selecting one, check to make sure it does the following.
- Separates personal texting from health care texting.
- Requires strong authentication and authorization to access messages. Access to messages should be password protected.
- Encrypts all data on a device, including messages in transit across a network, in case the phone is lost or stolen, or messages are accessed by a third party.
- Blocks message previews from displaying with screen notifications. Instead, only display the sender and require authentication to see the message content.
- Provides an encrypted archiving service for messages sent within the secure network.
- Contains automatic auditing capabilities to track the use of hardware, software, and procedures for ePHI sharing.
- Enables encrypted photo sharing without adding photos to the device’s camera roll.
- Does not allow the user to copy and paste content from the secure messaging app.
- Allows administrators to remotely disable the device and implement a time-out period if the device is unused for a certain period of time.6
Bryant says some electronic health record vendors have created secure apps for physicians to use. These apps automatically enter texts into the patient’s health record, but Bryant says physicians need to ensure the vendor signs a business associate agreement.
Resources
- HIPAA Encryption for iPhones and Android Phones. HIPAA Journal. Available at https://www.hipaajournal.com/hipaa-encryption-iphones-android-phones/. Accessed November 5, 2019.
- Summary of the HIPAA Security Rule. U.S. Department of Health & Human Services. Last reviewed July 26, 2013. Available at https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html. Accessed November 5, 2019.
- According to the above source (2), the Security Rule defines “confidentiality” to mean that e-PHI is not available or disclosed to unauthorized individuals. “Integrity” means that e-PHI is not altered or destroyed in an unauthorized way, and “availability” means e-PHI is accessible and usable by authorized individuals.
- What is Considered Protected Health Information Under HIPAA? HIPAA Journal. April 2, 2018. Available at https://www.hipaajournal.com/what-is-considered-protected-health-information-under-hipaa/. Accessed November 5, 2019.
- Healthcare Data Breach Statistics. HIPAA Journal. Available at https://www.hipaajournal.com/healthcare-data-breach-statistics/. Accessed November 5, 2019.
- HIPAA-compliant texting & messaging. Imprivata website. Available at https://www.imprivata.com/hipaa-compliant-messaging?chnl=PPC&gclid=EAIaIQobChMIoOP93r2e5QIVF6SzCh0-LgoSEAAYBCAAEgLz5PD_BwE. Accessed November 5, 2019.
Gracie Awalt can be reached at gracie-awalt@tmlt.org.