According to the HIPAA Journal, 81% of physicians use smartphones for professional purposes, but only 38% of healthcare providers have systems in place that ensure secure text messaging.
Doctors, nurses and administrators are generally allowed to use mobile devices in clinics and hospitals, but very few are aware of the security-issues related to mobile technology and how serious the implications can be.
The Inherent Risks of Mobile Devices in Healthcare
So what’s wrong with using a personal or company-provided mobile phone to send electronic Protected Health Information (ePHI) to a patient or another physician?
To begin with, mobile phones aren’t as secure as in-house computers that are in the hospital’s own network. Very few of them are protected with antivirus software and none of them have a firewall.
Secondly, they’re much easier to steal than servers, desktop computers or laptops. Lost or stolen mobile devices account for two thirds of PHI security breaches in the United States. Consequently, there’s plenty of room for sensitive data to be compromised.
Thirdly, in a BYOD environment, it’s easy to disclose data by sharing the device or content without being aware you’re engaging in a data breach. According to recent research, 39% of all data breaches are caused by internal threats.
Additional risks include using an unsecured Wi-Fi network to send data, lack of authentication capabilities, password protection and encryption and the lack of policies which would ensure appropriate levels of security for BYOD phones.
This doesn’t mean that you should prohibit the use of mobile devices for hospital staff and abandon texting completely. Let’s see what HIPAA says about SMS and text messaging apps.Lost or stolen mobile devices account for two thirds of PHI security breaches in the United States. #HIPAA #DataSecurity Click To Tweet
HIPAA Policies and Internal Controls
Most healthcare providers have already developed policies on email management and implemented appropriate technology to prevent data breaches. Also, many of them already archive email to ensure HIPAA compliance.
These initial efforts were shaken when physicians and other healthcare employees started using social media, and soon after, text messages to write prescriptions, communicate results, access patient records, ask for a colleague’s opinion on a case or follow up with patients.
This means that an archiving and data retention strategy that only focuses on email needs to be revised and include new communication channels.In a #BYOD environment, it’s easy to disclose data by sharing the device or content without being aware you’re engaging in a data breach. Click To Tweet
HIPAA and Smartphones
Healthcare providers, covered entities and business associates (companies that help process patient data) are subject to HIPAA ‒ the regulation which governs how medical information is stored, accessed and moved in order to ensure patient data privacy.
Who is considered a BA (Business Associate)? All businesses that process or have access to patient health information, including billing, transcription, record storage and document destruction services. It’s necessary for the covered entities to establish clear Business Associate Agreements with all the BAs, stating the security and privacy requirements regarding the use, handling and disclosure of protected health information.
When medical workers use text messaging to exchange PHI without the necessary safeguards, there’s always a chance of a data breach and most definitely, a case of non-compliance.
Such practices can result in privacy or security violations and have serious legal, financial and reputational consequences for healthcare providers.
Imagine a scenario in which sensitive medical information about a patient is being exchanged between two specialists via mobile phones. If not managed properly, this information might stay on their mobile phones indefinitely, be permanently deleted or viewed by unauthorized persons. All three scenarios would constitute a serious HIPAA violation.
Can you use mobile devices and still be compliant with HIPAA?
According to the US Department of Health and Human Services (HHS), yes.
“Health care providers, other covered entities, and business associates may use mobile devices to access electronic protected health information (ePHI) in a cloud as long as appropriate physical, administrative, and technical safeguards are in place to protect the confidentiality, integrity, and availability of the ePHI on the mobile device and in the cloud, and appropriate BAAs are in place with any third party service providers for the device and/or the cloud that will have access to the ePHI.”
Is texting a patient a HIPAA violation?
Texting a patient can constitute a HIPAA violation if the text message contains protected health information but the patient has not given their consent.
The HIPAA Security Rule states that hospitals and covered entities need to implement technical controls which would ensure confidentiality, integrity and availability of PHI, which are relevant to SMS, text messaging apps and similar forms of electronic communications.
Here’s what these technical control mean in practice:
Confidentiality – it’s important to implement not only access controls (because the devices can be lost or stolen, so unauthorized access is an option), but also password protection, encryption, firewalls and similar technical measures to ensure that the PHI is not stolen, breached or accessed by the wrong individuals.
Integrity – it’s important to be able to verify data integrity and confirm that the data is authentic, that it hasn’t been altered, tampered with, misused or accessed without authorization.
Availability – This refers to the ability to access data for audit controls so that the compliance teams and external regulators can confirm that the PHI is being communicated in a compliant manner.
HIPAA Risk Assessment and Text Message Archiving
Risk assessment is an essential part of any well-designed information governance strategy.
The first step in HIPAA risks assessment would be to conduct comprehensive research into potential threats and pain points, interpret the regulations carefully and educate your workforce.
HIPAA’s Security Rule mandates that there need to be regular audits of your IT infrastructure and systems that you use to ensure data security.
Although HIPAA never specifies which technology you should use, it mandates the existence of security measures to ensure PHI is shared properly, using the channels that are secure and that can be retrieved later.
Before purchasing any technical equipment, make sure you’ve implemented the necessary administrative and physical safeguards.
Appointing a HIPAA compliance officer or security official, designing and implementing an information governance and mobile use policy and preaching it to your staff are important steps to be taken.
Enterprise Information Archiving (EIA) technology can support the covered entities’ HIPAA compliance efforts in several ways.
Most covered entities already use automated technology solutions to capture, store and protect email communication and ensure this important aspect of HIPAA compliance.
Most of these solutions have gotten an upgrade and can now archive much more than email ‒ files, social media content and mobile calls, text messages, MMS and voicemail. But what exactly are the benefits of these compliance solutions?
Your archived content is stored on an archiving appliance that’s completely under your control or in a geo-fenced cloud app with all the security and protection measures. The archived files are the copies of your original messages that are indexed and stored with comprehensive metadata, while being fully searchable and retrievable. All security features like password protection, two-factor authentication, encryption and redaction are available.
This means that employees can delete their emails, mobile messages and call records from their personal devices, and by doing so, prevent inadvertent data breaches. Meanwhile, a valid copy of all communication will still be stored in your archive, ready to be retrieved for compliance, ediscovery or audit purposes.
2. Levels of access
Email, social media and text message archiving solutions have access controls and ensure that only authorized personnel can gain access to sensitive patient information.
3. Audit controls
A major advantage of archiving is audit trail ‒ a software feature that provides admins or compliance officers with a mechanism to record and keep track of who accessed what information.
4. Safety first
When you archive email and text messages, the information is always stored in a tamper-proof format which prevents content altering or improper deletion.
Mobiles can’t be banned from hospitals. What you can do to control their use is to ensure your hospital staff use them in line with your HIPAA policies and acquire a proper technological compliance solution.
Jatheon can help you to securely retain text messages, calls and voicemail for HIPAA compliance. We archive mobile content from most carriers around the world, using both carrier deployment and secure Android or iOS apps, on-premises or in the cloud.