According to the HIPAA Journal, an estimated 80% of physicians use personal smartphones for professional purposes, which means that healthcare providers must have systems in place to ensure secure text messaging.
Doctors, nurses, and administrators are generally allowed to use mobile devices in clinics and hospitals, but very few are aware of the security issues related to mobile technology and how serious the implications can be.
That’s why healthcare providers must be vigilant about ensuring that text messaging practices comply with the Health Insurance Portability and Accountability Act (HIPAA). To help you ensure HIPAA-compliant texting in your institution, this article will discuss the following:
- The risks of using mobile devices in healthcare
- HIPAA texting-related policies
- Using mobile devices in a HIPAA-compliant manner
- The benefits of text message archiving
The Inherent Risks of Mobile Devices in Healthcare
So what’s wrong with using a personal or company-provided mobile phone to send electronic Protected Health Information (ePHI) to a patient or another physician?
- Security vulnerabilities. To begin with, mobile phones aren’t as secure as in-house computers that are in the hospital’s own network. Very few of them are protected by antivirus software, and none of them have a firewall.
- Theft and loss. Mobile devices are much easier to steal than servers, desktop computers, or laptops. Lost or stolen mobile devices account for two-thirds of PHI security breaches in the United States. Consequently, there’s plenty of room for sensitive data to be compromised.
- BYOD challenges. The Bring Your Own Device (BYOD) policy introduced major security and privacy threats. Staff may inadvertently expose sensitive information and cause a data leak by sharing devices or using unsecured networks. According to recent research, 31% of all data breaches are caused by internal threats.
- Unsecured communication channels. Additional risks include using an unsecured Wi-Fi network to send data, lack of authentication capabilities, password protection and encryption, and the lack of policies that would ensure appropriate levels of security for BYOD phones.
This doesn’t mean that you should prohibit the use of mobile devices for hospital staff and abandon texting completely. Let’s see what HIPAA says about SMS and text messaging apps.
So, can you use mobile devices and still be HIPAA compliant?
According to the U.S. Department of Health and Human Services (HHS), yes.
“Health care providers, other covered entities, and business associates may use mobile devices to access electronic protected health information (ePHI) in a cloud as long as appropriate physical, administrative, and technical safeguards are in place to protect the confidentiality, integrity, and availability of the ePHI on the mobile device and in the cloud, and appropriate BAAs are in place with any third-party service providers for the device and/or the cloud that will have access to the ePHI.”
HIPAA Compliant Texting Policies and Internal Controls
To reduce the risks associated with texting in healthcare, organizations must implement HIPAA-compliant text messaging practices. This involves adopting secure messaging platforms, establishing clear policies, and ensuring that all communication is appropriately archived.
These initial efforts were shaken when physicians and other healthcare employees started using social media and, soon after, text messages to write prescriptions, communicate results, access patient records, ask for a colleague’s opinion on a case, or follow up with patients.
This means that an archiving and data retention strategy that only focuses on email needs to be revised and include new communication channels.
HIPAA-Compliant Texting Policies
Given the growing reliance on mobile communication, it’s crucial to expand existing policies to include texting and ensure that all messaging complies with HIPAA regulations.
Use of secure messaging apps
Standard SMS is not secure enough for transmitting PHI. Healthcare providers should use HIPAA-compliant text messaging apps that offer features such as end-to-end encryption, message expiration, and user authentication.
Patient consent
Before texting PHI to a patient, healthcare providers must obtain explicit consent. This consent should be documented, and patients should be informed of the potential risks associated with receiving health information via text.
Multi-factor authentication
To add an extra layer of security, organizations should implement multi-factor authentication (MFA) for accessing secure messaging platforms. This helps ensure that only authorized users can send or receive PHI.
Training and awareness
Regular training sessions should be conducted to educate staff about the importance of HIPAA compliance in text messaging. Employees need to understand how to use secure messaging apps properly and recognize potential risks.
Who is considered a BA (Business Associate)?
All businesses that process or have access to patient health information, including billing, transcription, record storage, and document destruction services. In other words, HIPPA applies to or covers health care providers, health plans, and clearinghouses. However, if a covered entity engages a third-party company or individual to perform services or functions involving access to PHI, that third party is considered a Business Associate (BA) under HIPAA.
It’s necessary for the covered entities to establish clear Business Associate Agreements with all the BAs, stating the security and privacy requirements regarding the use, handling, and disclosure of protected health information.
When medical workers use text messaging to exchange PHI without the necessary safeguards, there’s always a chance of a data breach and most definitely, a case of non-compliance.
Such practices can result in privacy or security violations and have serious legal, financial, and reputational consequences for healthcare providers.
Imagine a scenario in which sensitive medical information about a patient is exchanged between two specialists via mobile phone. If not managed properly, this information might stay on their mobile phones indefinitely, be permanently deleted, or be viewed by unauthorized persons. All three scenarios would constitute a serious HIPAA violation.
Get a Full Healthcare Compliance Pack
Essential resources to protect your organization from HIPAA fines and penalties.
HIPAA Risk Assessment and Text Message Archiving
Risk assessment is an essential part of any well-designed information governance strategy.
The first step in HIPAA risk assessment is to conduct comprehensive research into potential threats and pain points, interpret the regulations carefully, and educate your workforce.
HIPAA’s Security Rule mandates that there need to be regular audits of your IT infrastructure and systems that you use to ensure data security.
Although HIPAA never specifies which technology you should use, it mandates the existence of security measures to ensure PHI is shared properly, using the channels that are secure and that can be retrieved later.
Before purchasing any technical equipment, make sure you’ve implemented the necessary administrative and physical safeguards.
Appointing a HIPAA compliance officer or security official, designing and implementing an information governance and mobile use policy and preaching it to your staff are important steps to be taken.
Enterprise Information Archiving (EIA) technology can support the covered entities’ HIPAA compliance efforts in several ways.
Most covered entities already use automated technology solutions to capture, store, and protect electronic communication and ensure this important aspect of HIPAA compliance.
Most of these solutions have been upgraded and can now archive much more than email — files, social media content, mobile calls, text messages, MMS, and voicemail.
But what exactly are the benefits of these compliance solutions?
Security
Your archived content is stored on an archiving appliance completely under your control or in a geo-fenced cloud app with all the security and protection measures. The archived files are the copies of your original messages that are indexed and stored with comprehensive metadata while being fully searchable and retrievable. All security features like password protection, two-factor authentication, encryption, and redaction are available.
This means that employees can delete their emails, text messages, and call records from their personal devices and, by doing so, prevent inadvertent data breaches. Meanwhile, a valid copy of all communication will still be stored in your archive, ready to be retrieved for compliance, ediscovery, or audit purposes.
Levels of access
Email, social media, and text message archiving solutions have access controls and ensure that only authorized personnel can access sensitive patient information.
Audit controls
A major advantage of archiving is the audit trail — a software feature that provides admins or compliance officers with a mechanism to record and keep track of who accessed what information.
Safety first
When you archive email and text messages, the information is always stored in a tamper-proof format, which prevents content altering or improper deletion.
Mobiles can’t be banned from hospitals. What you can do to control their use is to ensure your hospital staff use them in line with your HIPAA policies and acquire a proper technological compliance solution.
Jatheon is a leading provider of HIPAA-compliant archiving solutions that helps healthcare organizations securely capture, store, and manage SMS messages along with other forms of electronic communication. Jatheon’s HIPAA-compliant text message archiving solution is specifically designed for the healthcare sector and BYOD phones, ensuring that all text messages containing PHI are encrypted, securely stored, and easily retrievable for audits, ediscovery, and compliance reporting.
Summary of the Main Points
- HIPAA-compliant texting is essential for protecting patient information when using mobile devices for communication in healthcare settings.
- Standard SMS lacks the necessary security features like encryption, making it unsuitable for transmitting ePHI.
- Healthcare organizations should use HIPAA-compliant text messaging apps that offer encryption, user authentication, and message expiration.
- Proper archiving of text messages is required for legal compliance, with HIPAA mandating the retention of messages containing PHI for at least six years.
- Implementing strong access controls, regular audits, and secure transmission methods ensures that archived messages remain protected and accessible when needed.
- Training staff on HIPAA-compliant texting practices and establishing clear policies for the use of mobile devices help reduce the risk of data breaches.
- Business Associates (BAs) that handle PHI on behalf of covered entities must comply with HIPAA regulations and sign Business Associate Agreements (BAAs) to outline their responsibilities for safeguarding patient data.
FAQ
What are the risks of using standard texting in healthcare?
Standard SMS lacks encryption and other security features, making it vulnerable to interception and unauthorized access. This can lead to breaches of PHI and HIPAA violations.
How long must text messages containing PHI be retained?
HIPAA requires that records containing PHI, including text messages, be retained for six years from the date of creation or the last effective date, whichever is later.
Can personal devices be used for HIPAA-compliant texting?
Yes, personal devices can be used, but they must be managed under a BYOD policy that enforces the use of secure messaging apps and implements security controls like encryption and multi-factor authentication.
Is texting a patient a HIPAA violation?
Texting a patient can be a HIPAA violation if the text contains ePHI and the patient has not provided explicit consent for this form of communication.
Read Next:6-Step HIPAA Audit Checklist for Healthcare Organizations |
