- Healthcare organizations are required to protect patient information
- Clinicians may be using tools that are not HIPAA-compliant for communication
- What is HIPAA-compliant texting?
In an increasingly mobile healthcare environment with bring-your-own-device (BYOD) policies and data sharing across organizations, HIPAA compliance is, without a doubt, a significant concern. And HIPAA-compliant texting is essential in healthcare – especially today.
Under pressure to communicate vital health information quickly, clinicians often revert to texting using their personal mobile devices. While texting is fast and convenient, it may not be HIPAA-compliant and may even expose a patient’s sensitive health information.
So let’s go back to basics and examine HIPAA-compliant texting in healthcare settings. What do we mean by HIPAA-compliant texting? And how can doctors, nurses, and other healthcare providers and staff communicate quickly and securely without violating HIPAA regulations?
Why are Text Messages, SMS, and IMs Not HIPAA-Compliant?
The question of whether or not a text message is HIPAA-compliant texting can depend on several factors. If the text in question does not contain personal identifiers, it can be HIPAA-compliant. But if the texting platform does not adhere to specific technical safeguards for digital transmission, the text message may well be a violation.
Standard “Short Message Service” (SMS) and “Instant Messaging” (IM) text messages often fail to meet HIPAA-compliant texting requirements. Someone sending an SMS or an IM text message has no control over the message after it has been sent. It is not hard to mistakenly send messages to the wrong recipient. The intended recipient can forward text messages to someone else who may not be authorized to view the information. SMS and most IM platforms do not encrypt data, so messages are easily intercepted in transit and viewed. Finally, service providers keep copies of SMS and IM messages on their servers indefinitely, potentially viewable by unauthorized individuals.
So it isn’t difficult to imagine the myriad of ways text messaging can fall outside compliance regulations and put ePHI at risk of exposure. This reality, coupled with the potential for penalties for non-compliance, causes grave concern among healthcare administrators and IT departments.
What Changed with HIPAA & HIPAA-Compliant Texting During COVID-19?
During the COVID-19 national health emergency, the Office for Civil Rights (OCR) temporarily suspended the imposition of specific penalties for non-compliance with HIPAA regulations. In April 2020, the HHS issued notification of enforcement discretion for telehealth remote communications during COVID-19. “Under the notice, covered health care providers may use popular applications that allow for video chats,” according to the OCR. The applications listed in the notice include Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Zoom, and Skype.
Healthcare providers are permitted to use these applications to provide telehealth services during the national health emergency—without the risk that OCR might seek to impose a penalty for non-compliance with HIPAA regulations. However, as an article published on Relias Media, a trusted resource for healthcare information and continuing information, reminds us, even with waivers and relaxed requirements, the OCR still expects HIPAA-compliance and HIPAA-compliant texting.
According to HealthITSecurity, “When healthcare professionals message one another, it most often includes sensitive information. In a healthcare culture that strongly emphasizes care coordination, several physicians may be communicating with one another regarding a specific patient case. Therefore, the messaging platforms on which physicians communicate need to be compliant to patient safety and patient privacy adherent.”
The OCR’s recognition of the need for telemedicine and temporary suspension of specific HIPAA-related penalties underscores the awareness of the heightened demand for alternative provision of service during the global pandemic. But, the OCR expects compliance and, at some future date, will rescind its temporary waivers. The adoption of secure text messaging is growing across the nation as healthcare providers work to improve patient care and, at the same time, equip clinicians with tools to enhance communication and collaboration.
Does Secure Text Messaging Protect ePHI?
Secure text messaging is precisely that, HIPAA-compliant texting capabilities that protect electronic patient health information (aPHI). Standard features of secure text messaging systems for healthcare systems include message statuses: Sent, Delivered, and Read receipts, including timestamps. Clinicians can typically also create separate threads for each patient, reducing the potential for confusion. Advanced features can include using the system’s ADT feed to pull more patient information into the thread and message screening or auto-forwarding functionalities.
As HealthITSecurity writes, “Secure messaging systems are more than just SMS. Healthcare organizations can authenticate a variety of users onto their networks and also enable secure communication across different sizes and types of providers.” According to Ms. Snell, healthcare organizations with access to communications records can identify messages containing electronic protected health information (ePHI) and use audit trails to find clinical workflow issues. By reviewing metrics to gauge the impact of their secure messaging systems, healthcare leaders glean valuable insights. As stated by MedCityNews, “Practice managers and technologists should ensure that any secure communications platform includes an audit trail to monitor who sent what and when, with information encrypted while at rest and in transit.”
And the rapid exchange of vital information through means such as HIPAA-compliant texting have proven to improve overall patient care. In fact, the demand for secure messaging in healthcare continues to build in response to the need for swift and secure communication between care team members. “Secure messaging in healthcare accelerates clinical workflows,” states The HIPAA Journal. “[It] has been shown to help accelerate patient throughput, reduce the potential for medical errors, increase patient satisfaction, improve clinical outcomes, and significantly reduce costs while ensuring compliance with HIPAA.”
A growing number of healthcare organizations are reviewing clinical collaboration and communication tools. Many are moving to more sophisticated clinical collaboration platforms (CCPs) in response to increased demand for streamlined communication and workflows. Maintaining HIPAA-compliant texting, supporting higher-level collaboration between clinicians, providing easy access to all healthcare elements, and reducing alert fatigue are factors in the decision-making process.
How Does HIPAA-Compliant Texting Work Across the Continuum of Care?
Communication technology for care teams is also changing. While an overwhelming number of solutions exist in the marketplace for HIPAA-compliant texting, mobilization of critical alerts, and VoIP calls, these solutions allow certain care team members to communicate and collaborate. But they don’t necessarily extend across the entire continuum of care, limiting a patient care team’s ability to operate with the most accurate and up-to-date critical information. Working without this information can lead to unnecessary and often redundant tests, potentially causing delays in patient care.
Certain clinical collaboration platforms have proven successful in extending secure text messaging to all care team members. For example, for Halo Health customers, utilizing its comprehensive role-based messaging system coupled with its Patient Coordinator functionality ensures that patient care teams are apprised of the latest updates in a patient’s health information. The Patient Coordinator attaches basic patient information directly to each message thread and allows team members to quickly see who else is on the team, their status, and promptly start a team message.
How Can Organizations Address the Need for HIPAA- Compliant Texting?
Vaccinations are in process across the country and throughout the world. Regardless, there is no clear end date in sight for the COVID-19 national health emergency. Healthcare organizations are under enormous pressure to respond to current demand while planning and staffing for the still-likely surges in the virus. The use of telehealth is expected to continue, and even to grow, after the emergency has been lifted.
Under these circumstances, maintaining HIPAA-compliant text messaging is both practical and essential, despite the short-term relaxation of some of the HIPAA regulations governing telehealth practices. One of the most expedient and cost-effective ways to maintain compliance and avoid violations is to deploy a clinical collaboration platform with features and services that support HIPAA-compliant messaging for teams and individuals. A secure, HIPAA-compliant text messaging platform is no longer optional in today’s fast-paced and demanding healthcare settings.