Text Messaging in the Healthcare Environment
Text messaging, often referred to as ‘Texting’ and ‘SMS’, provides doctors and supporting healthcare providers with a rapid and efficient way to communicate. Patient Health Information (PHI) such as location, demographics, and clinical status can be quickly exchanged between providers, leading to quicker decision-making that in turn can often lead to better patient outcomes.
The Final HIPAA Omnibus Rule
The Final HIPAA Omnibus Rule (Final Rule) was released in Mid January 2013 by the Department of Health and Human Services (HHS). The Final Rule was made effective on March 26, 2013 with required compliance by a deadline of September 23, 2013. The HIPAA security rule addresses physical, administrative, and technical safeguards for any Patient Health Information (PHI) that an organization creates, receives, or maintains.
The ‘Final Rule’ and Text Messaging
Short Message Service (SMS) Text Messaging, a popular and growing form of mobile communications, is not an appropriate method for healthcare organizations to share PHI, mainly because the delivery networks lack the appropriate safeguards defined by the HIPAA security rule. For example, text messages are not encrypted while they traverse the wireless network of a carrier.
Text messages remain on a recipient’s mobile device without any disposition policy or physical safeguards. Research carried out by the Center for Democracy and Technology showed that 66 percent of potential patient data security breaches over the past two years were attributable to portable mobile devices being either stolen or lost.
Any healthcare provider or organization that fails to address non-secure communication of patient health information with updated policy or technology may be found in violation of the Final Rule when they are audited. More importantly, texting of PHI substantially increases the real risk of a breach occurring that can lead to massive fines and litigation costs.
Secure Texting as an Immediate Solution
An organization can reduce the risks associated with texting PHI by deploying a secure smartphone HIPAA compliant texting solution. Doing so allows providers to maintain the efficiencies of texting while maintaining HIPAA Compliance. When selecting a vendor, the organization must consider the supplier as a Covered Entity (CE) and have a fully executed Business Associate Agreement (BAA) with that provider. They must also ensure that the platform in consideration has appropriate technical safeguards with respect to the handling of PHI.
Risks of Secure Texting
While secure texting is a good first step, organizations should take the time to consider the implications of deploying a new communications platform. Workflow, provider schedules, care team assignments, and escalation policies when messages are not delivered or read are very important factors. If not properly implemented, secure texting can cause additional workload on providers and increase patient risk.
Beyond Secure Texting in 2014
A hospital or large organization should also consider how outside users such as patients or referring physicians that are not a part of the immediate organization would be able to communicate with internal staff. Most secure texting platforms do not account for this critical communications need.
An ideal vendor will also work with existing infrastructure such as telephone systems and legacy paging networks. The option of archiving patient based communications into the Electronic Health Record (EHR) for ongoing reference and auditability is also important.
Neglecting workflow, outside communications, and integration with existing clinical systems can lead to compromised patient safety as well as lack of user adoption, all of which can negate the value of introducing a secure messaging solution in the first place. Organizations should consider these potential impacts when investigating solutions.