By: Alaap Shah and Ali Lakhani
“Hey Doc, just shoot me a text . . .”
The business case supporting text messaging in a health care environment is compelling – it is mobile, fast, direct, and increases dialogue between physicians and patients as well as streamlines the often inefficient page/callback paradigm that stalls workflows and efficiency in the supply chain of healthcare delivery. As a growing percentage of the 171 billion monthly text messages in the U.S. are sent by healthcare providers, often containing electronic protected health information (ePHI), providers are potentially exposing themselves to regulatory liabilities arising under the Health Information Portability and Accountability Act (HIPAA).
Currently, there is a great deal of uncertainty around whether “HIPAA-compliant” texting of ePHI can be accomplished. Even greater confusion exists around whether certain texting platforms themselves can be “HIPAA-compliant”. Before you start to send ePHI via text message, there are a number of issues to consider.
“Texting”, in the colloquial sense, has become an umbrella term for the entire category of mobile, asynchronous, instant communication between two or more parties. The first category of texting is what most people use today. This category is the traditional, wireless carrier-based text messaging, known as Short Message Service (SMS) text messaging. Here, users exchange messages between mobile devices over a cellular network. Most cellphones and smartphones in the U.S. market have an SMS text message capability, and it is a relativity simple push technology that can be used by people who are not tech-savvy. These benefits of SMS illustrate the broad reach of this technology.
The second category of texting is application-based instant messaging whereby users exchange messages over the internet between web-enabled devices. In essence, users download stand-alone applications to their mobile devices, create accounts with unique login credentials, and then send and receive text messages between accounts using the application interface. In light of challenges posed by HIPAA, many companies have developed application-based texting platforms, which are now branded as “HIPAA-compliant”. A number of these texting platforms allow for encryption of messages as well as secure login at the application level. However, the reach of these texting applications is somewhat narrower than traditional SMS text messaging for a few reasons. First, these texting applications typically run on smartphones, but are not universally available on ordinary cellphones. Second, use of the applications may be limited if the user is not tech-savvy. Nonetheless, these application-based texting platforms provide powerful tools to share ePHI.
Before you choose to use SMS text messaging or even a “HIPAA-compliant” application-based texting platform to send or receive ePHI, proceed with caution. First, note that no particular “texting” platform can be, in and of itself, “HIPAA-compliant.” Second, text messaging presents a litany of privacy and security challenges which must be addressed before texting ePHI.
The Trouble with SMS Texting . . .
By virtue of how it is generated, transmitted, stored, and viewed, traditional SMS texting presents several obstacles to HIPAA compliance. Some of the key obstacles include the following and are explained below:
- SMS text messages are transmitted in clear text;
- SMS text messages are not encrypted;
- Senders cannot authenticate recipients;
- Recipients cannot authenticate senders; and
- ePHI can remain stored on wireless carrier servers.
Of particular note, SMS text messages are currently not secured through encryption. This potentially allows unauthorized third parties to get access to and view the content of SMS text messages associated with certain individually-identifiable information.
It is also difficult to know who generated a text message or even whether it is ending up in the right place. Recognizing some of these authentication issues prompted the Joint Commission to explicitly restrict text messaging. Indeed, the Joint Commission stated that it is unacceptable for “physicians or licensed independent practitioners to text orders for patients to the hospital or other healthcare setting[s].” This, however, does not amount to a complete ban on text messaging of ePHI, and leaves open the possibility of other appropriate ways to utilize texting to share ePHI.
Finally, ePHI sent via SMS text message can end up being stored in places outside the control of the sender or the recipient. This can create an unmanageable risk in the context of data breach. For example, SMS text messages reside on telecommunications servers for some time before and after being transmitted to a recipient’s phone. As such, a breach of the telecom servers could allow unauthorized individuals to access or view the ePHI.
These risks render SMS text messaging a difficult avenue for the transmission of ePHI.
Despite these obstacles, is there a way to leverage text messaging while complying with HIPAA?
First and foremost, HIPAA does not explicitly prohibit the use of SMS text messaging to transmit ePHI. Rather, the HIPAA Security rule requires Covered Entities and Business Associates acting on their behalf to implement administrative, physical and technical safeguards if engaged in the transmission or storage of ePHI. While HIPAA does not prescribe specific safeguards to use to protect ePHI sent via text message, it does provide a framework to assess and mitigate risks associated with such transmissions. For example, key technical safeguards included within the HIPAA Security Rule that should be considered before texting ePHI include the following controls:
- Unique User Identification;
- Automatic Logoff;
- Integrity Management;
- Authentication; and
- Transmissions Security.
Further, to comply with HIPAA, those who want to send ePHI via text must conduct a risk analysis. A risk analysis consists of “an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.” Thus, prior to employing SMS or application-based texting, the risks associated with either should be addressed.
In short, HIPAA compliance is achieved by implementing reasonable and appropriate safeguards and conducting a risk analysis on a periodic basis.
Text messaging continues to offer a simple, attractive, and cost effective way to communicate ePHI. As a result, text messaging solutions will continue to enter the market place. Yet, text messaging solutions carry a great deal of risk stemming from various threats and vulnerabilities. Before utilizing text messaging, these risks must be evaluated and effectively managed to ensure compliance with HIPAA and avoid the potential for unauthorized use or disclosure as well as data breach.
Follow Alaap Shah on Twitter: @HealthITLawyers