HIPAA AND TEXTING
It is not uncommon for providers to use electronic devices such as cell phones and tablets to conduct their day to day functions within a healthcare facility or practice. Covered entities must ensure that The Health Care Insurance Portability and Accountability Act (HIPAA) Privacy and Security rules are put in place when using mobile devices. At the same time, HIPAA does not provide any requirements towards the usage or avoidance of specific modes of communication such as using text messages.
Just like it is done with usage of other technologies such as EMR and Practice Management systems, all the safeguards must be put in place to ensure the privacy and security of Protected Health Information (PHI) that is communicated via text messaging.
Safeguards must address all the risks that exist with text messaging PHI. For example, devices that lack encryption such as mobile device-‐to-‐mobile device that are used for SMS text messages are generally not secure. Moreover, the sender of a text message can’t be assured that the messages being sent are being received by the receiver. Wireless carriers may also store messages that are sent via text messages. The Health and Human Services department states that using text messages as a way to communicate can be permitted under HIPAA depending on all the controls that are put in place.
The HHS recommends covered entities to follow the following five steps when managing mobile devices in your healthcare settings:
1. Decide whether mobile devices will be used to access, receive, transmit, or store patients’ health information or be used as part of your organization’s internal network or systems, such as an electronic health record system.
Understand the risks to your organization before you decide to allow the use of mobile devices.
2. Consider the risks when using mobile devices to transmit the health information your organization holds.
Conduct a risk analysis to identify threats and vulnerabilities. If you are a solo provider, you may conduct the risk analysis yourself. If you work for a large provider, the organization may conduct it.
3. Identify a mobile device risk management strategy, including privacy and security safeguards.
A risk management strategy will help your organization develop and implement mobile device safeguards to reduce risks identified in the risk analysis, including an evaluation and regular maintenance of the mobile device safeguards you put in place.
4. Develop, document, and implement your organization’s mobile device policies and procedures to safeguard health information.
Some topics to consider when developing mobile device policies and procedures are:
• Mobile device management
• Using your own device
• Restrictions on mobile device use
• Security or configuration settings for mobile devices
5. Conduct mobile device privacy and security awareness and ongoing training for providers and professionals.
For more information on texting and PHI visit: Five Steps Organizations Can Take To Manage Mobile Devices Used by Healthcare Professionals
At Vitruvian MedPro we help medical practices stay out of willful neglect by providing HIPAA Compliance consulting services. As part of our HIPAA Compliance consulting services, we help medical practices perform and document a risk analysis. We provide medical practices with a thorough risk management report describing their risks and vulnerabilities with PHI.
A free consultation of 30 minutes or less will let you know whether your practice would be found under willful neglect in the case of an audit.
For more information on Vitruvian MedPro’s HIPAA Compliance kit visit: HIPAA Compliance Kit.
At Vitruvian MedPro, a Massachusetts based medical billing and practice management consulting company, we help medical practices improve cash flow and focus on patient care by providing medical billing, medical coding, and patient collection services. Visit our web site at Vitruvian MedPro