Texting has become a communication method of choice these days, especially for Millennials and Gen Zers. And for good reason – it’s quick, easy, and businesses can even automate messages. But texting also comes with privacy risks when it comes to the healthcare industry and sharing Protected Health Information (PHI or ePHI).
Below, we answer some of the most common questions about texting patients and the risks associated with it.
What is PHI?
Protected Health Information (PHI or ePHI) is defined as “any information about health status, provision of health care, or payment for health care that can be linked to a specific individual,” and consists of 18 different “identifiers” which could connect specific details to a patient (such as photographs of the patient, their social security number, or their telephone number). The Privacy and Security Regulations within HIPAA apply to medical professionals, health insurance providers, health insurance clearing houses (including fund administrators and managers), and any subcontractor who has access to protected health information (regardless of whether it is stored electronically or not).
What are the risk issues associated with texting PHI?
Due to changing work practices and technological advances, the majority of healthcare professionals now access PHI or communicate patient data via their mobile devices. Text messages may remain on mobile devices for an indefinite amount of time, and without proper precautions, may be exposed to unauthorized access. According to HHS.gov, 74% of data breaches in the health industry were due to external threats related to a lack of HIPAA compliant encryption. Hacking is now the greatest threat to the privacy and security of PHI in the healthcare sector.
What are the fines for unsecured text messaging of PHI?
- Tier 1: A violation that the covered entity was unaware of and could not have realistically avoided, had a reasonable amount of care had been taken to abide by HIPAA Rules. Minimum fine of $100 per violation, up to $50,000.
- Tier 2: A violation that the covered entity should have been aware of but could not have avoided even with a reasonable amount of care, but falls short of willful neglect of HIPAA Rules). Minimum fine of $1,000 per violation, up to $50,000.
- Tier 3: A violation suffered as a direct result of “willful neglect” of HIPAA Rules, in cases where an attempt has been made to correct the violation. Minimum fine of $10,000 per violation, up to $50,000.
- Tier 4: A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation within 30 days. Minimum fine of $50,000 per violation.
For more information on HIPAA breach fines, please visit: HIPAAJournal.com
What are some other consequences of a HIPAA breach?
The U.S. Department of Health and Human Services Office for Civil Rights lists the breach on its “Cases Currently Under Investigation” and gives a general description of the violation. (Find the full list here.) The OCR also conducts HIPAA audits.
When does a HIPAA Breach need to be reported?
The HIPAA Breach Notification Rule requires covered entities to notify affected individuals, HHS, and in some cases the media, of a breach of unsecured PHI. Most notifications must be provided without unreasonable delay and no later than 60 days following discovery of a breach. Notifications of smaller breaches affecting fewer than 500 individuals may be submitted to HHS annually. The Breach Notification Rule also requires business associates of covered entities to notify the covered entity of breaches at or by the business associate. For more information, please visit the U.S. Department of Health and Human Services website.
Why is SMS Texting not HIPAA Complaint?
In order for an SMS to be HIPAA compliant, both the sender and the recipient should be authorized users of a secure messaging system that enables them to access and transmit ePHI as required. With a secure messaging platform, all messages are encrypted and do not have the security risks associated with standard messaging systems, aka SMS. The secure messaging system must be capable of removing users and remotely deleting messages sent within the application, in case a personal mobile device is lost, replaced, or stolen. The application must also provide system administrators with the ability to gather audit logs to adhere to best practices policy for HIPAA compliance and SMS.
Do both the sender and receiver need to be on a secure platform?
Yes, both the sender and recipient should be authorized users of the secure messaging system. Also, in addition to employers, health insurance providers, health insurance clearinghouses, and medical professionals, the rules for text messages and HIPAA compliance now apply to associates, subcontractors, or any third-party service provider who has access to PHI. This means that if an insurance provider wants details of the treatment a patient has received in the hospital, it must also be an authorized user on a secure messaging system to retrieve that information.
The changes to the HIPAA regulations for SMS messaging extended to who must comply with the mandated best practices. In addition to medical professionals, health insurance providers (including employers), health insurance clearing houses (including fund managers), and any subcontractor, “associate,” or third-service provider who has access to PHI is now also subject to the HIPAA regulations for texting.
Does Centers for Medicare & Medicaid Services (CMS) allow texting?
CMS has issued a clarification on texting by medical providers regarding patient care. In unequivocal terms, CMS has declared that providers:
- MAY NOT text patient orders. Texting of orders would be considered out of compliance with requirements of a medical record.
- MAY communicate other patient information using a secure text messaging platform on their smart devices. (SMS text messaging is not considered secure.)
- Should continue to utilize computerized physician order entry (CPOE) or written orders.
For more information on the CMS texting clarification, please read the CMS memo here.
Support for Conventus Members
As always, Conventus members can also call the Practice Resource Department at (877) 444-0484, ext. 7466 to speak with a member of our team for assistance with understanding or questions regarding your requirements under these regulations.