MEDICAL INFORMATICS COMMITTEE
HIPAA and texting

May 2017 - Vol. 36, No. 04

This article provides background information regarding the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and secure texting. If you are an employed physician, your obligation is simple: Follow the policy of your employer.

Advanced communication technologies put patient privacy at risk

 Farrel J. Buchinsky, MBChB
Joseph W. Rohrer, MD
David M. Jakubowicz, MD
Habib G. Zalzal, MD

Communication technologies have advanced rapidly with the advent of the digital age. Realizing the benefits of communication technology in everyday use (mobile device texting, pictures, videos), the medical community has been driven to advance the quality and accessibility of data in the healthcare setting. However, such advances put data at risk against new threats to patient privacy attached to these technologies. Pagers are becoming less common, and texting has become almost ubiquitous. Texting has also changed from exclusively SMS (short message service) to Wi-Fi-based apps with picture and video capabilities. New data has now been rebranded as electronic protected health information (ePHI). The significant cost and burden of HIPAA infractions with little concrete standards in the legislation make  understanding what is appropriate and  compliant often difficult to ascertain.

HIPAA has been amended most notably with the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009 and the Omnibus Final rule in January 2013. These documents are critical in establishing the patient’s right to the privacy of his or her protected information but leaves the options for compliance very broad. For example, there is no required or standard encryption, interface, or technology that results in HIPAA compliance. Instead, HIPAA focuses on creating a system of protection, and providing for notification and enforcement of breaches and violations should they occur.

Unfortunately, HIPAA does not set forth a standard for communication, but instead lays out guidelines for establishing a system for protecting and securing the patient’s information. The Privacy Rule requires the minimization of risk for a security breach and that organizations identify where its ePHI is stored, how it is accessed, and who accesses it. Furthermore, the information must be available to the patient on request to elucidate how medical decisions were made. Texting is different from a conversation in the hallway because once created, it exists and could be discovered, found, or stolen by an unauthorized person. It can exist on the device of the message composer, the recipient, and on the servers of the carrier, possibly in perpetuity. All three locations provide a vulnerability and a potential for a security breach.

Protecting data

Multiple technologies exist to protect data. They include end-to-end encryption, automatic deletion after a specified time, anonymity, user authentication requirements to access messages, or closed network limitations. These technologies are useful, but none constitute HIPAA compliance. There is no single app to download or a service that one can purchase that is “HIPAA compliant” since the regulations stipulate that there is a whole process that must be undertaken. There are indeed apps or services that as part of a process would be appropriate to use. With additional layers of security, a potential lack of clarity and hindrance on optimal patient care is introduced. A message without any ePHI is compliant but can easily lead to a wrong patient intervention or assessment. User biometric authentication may impair the time-sensitive delivery of messages when scrubbed into a case. Automatic message deletion does not allow for an audit trail or documentation.

Other limitations on communication also exist in the modern medical delivery model. A healthcare organization may create a policy that, in effect, is creating a system to ensure ePHI security to be HIPAA compliant. As an employee, the physician is bound to follow these policies to ensure HIPAA compliance of the organization. Communication to other providers outside a healthcare system puts more onus on the individual to safeguard the ePHI. Risks that need to be considered when sending ePHI include: controlling who can access the message; confirmation that the message reached only the intended party; the message is not permanently residing on a non-secure server or the recipient’s device, if lost or stolen, does not result in a breach.

The ultimate goal of texting and transmitting ePHI is to provide fast, clear, unambiguous information to improve patient care. It is important to know that texting is not forbidden. Providers and organizations are not obligated to eschew texting but instead they are expected to proactively think how to balance the risks and advantages of texting in its various forms. To remain HIPAA compliant, a system needs to be established that shows that the risks and rewards of transmitting ePHI have been taken into consideration.

Changing HIPAA landscape

As a reminder, follow the policy of your organization and be mindful that HIPAA- related clarifications can change at any time. As an example, on Dec. 22, 2016, the Joint Commission (JC) issued a clarification reversing its position on the texting of medical orders. This is contrary to its May 2016 position in which the JC approved the use of secure platforms for texting, as long as specific criteria were met. In collaboration with the Centers for Medicare & Medicaid Services (CMS), the JC has made several new recommendations:

  • All healthcare organizations should have policies prohibiting the use of unsecured text messaging, that is, SMS text messaging from a personal mobile device, for communicating protected health information.
  • The JC and CMS agree that computerized provider order entry (CPOE) should be the preferred method for submitting orders as it allows providers to directly enter orders into the electronic health record (EHR).
  • In the event that a CPOE or written order cannot be submitted, a verbal order is acceptable.
  • The use of secure text orders is not permitted at this time.

The JC and CMS will continue to monitor advancements in technology to determine whether text messaging systems will be a viable option in the future. The JC’s clarification of its position can be found at: https://www.jointcommission.org/assets/1/6/Clarification_Use_of_Secure_Text_ Messaging.pdf.

Text messages under HIPAA compliance

HIPAA is technology-neutral in the sense it does not directly address text messaging, email, or other forms of electronic communications with specific advice. In fact, HIPAA does not specifically require that anything actually be “encrypted.” However, HIPAA does mandate that every organization identify where its ePHI is stored, where and how it is transmitted, and how it is accessed, among other considerations defined in the Privacy Rule to minimize the risk of a security breach.

According to the HIPAA Journal article, “Is Texting in Violation of HIPAA?,” Standard SMS and IM text messages, such as Apple’s iMessage, often fail on all these counts, as senders have no control over the final destination of their messages. (Copies of correspondence can be kept and forwarded to unintended recipients, wrong numbers in regard to conversations, and messages can be stored on unsecured provider services indefinitely.) For these reasons, communicating PHI by standard, non-encrypted, non-monitored, and non-controlled SMS or IM is inherently in violation of HIPAA despite no specific requirements within HIPAA law.

Using electronic messaging in the HIPAA-compliant era

If the technology at your organization does not exist to encrypt text messages, then the onus remains on the physician to decide if you:

  1. continue sending ePHI in text messages and risk exposure
  2. prohibit the sending ePHI texts, thereby eliminating risk
  3. allow patients to “opt in” to receiving ePHI texts after the risks have been explained, effectively transferring the risk from the organization to the patient.

Unfortunately, due to the lack of explicit rules documenting ePHI use in texting and encryption, following the above does not remove liability in the event ePHI enters the public sphere.

Options for HIPAA-compliant messages

  • Google Allo
  • WhatsApp
  • TigerText
  • HIPAABridge

These services all exist in the form of HIPAA compliant message. However, as mentioned above, it truly depends on your institution’s technology use agreement whether you can use such services. Check first before using any of the above apps.