Every doctor since 2003 has needed to maintain a strict adherence to HIPAA guidelines. But that can sometimes come at a high risk for patients in need of urgent medical care whose doctor needs to relay important information to another doctor. Texting seems like a fast alternative to phone calls, emails, and face-to-face meetings, especially in urgent situations. But how does texting fit in with to the boundaries set by HIPAA for doctor-to-doctor correspondence?
Benefits of texting
According to Dr. Andrew A. Brooks, M.D., "a study conducted by the Robert Wood Johnson Foundation found that nurses waste as much as 60 minutes of each work day tracking down physicians for a response." Think of how much faster it would be for a nurse to simply send a quick text to a doctor instead of physically tracking down the doctor to ask what is most likely a simple question with a simple response. There's no doubt that among all the available technology out there, texting is currently the fastest method of communication. Using text messages could increase patient care and reduce costs, but what does it cost patients when it comes to their privacy?
Unfortunately, although generally secure, text messages can still easily end up in the wrong hands, making texting a uniquely complicated topic in the world of healthcare. Because mistakes are easily made when it comes to sending and receiving texts, the Joint Commission has prohibited any texts that include ePHI data or that discusses the movement of a patient from one facility to another. The costs for ignoring these limitations are steep: a provider will be fined up to $50,000 for one incident involving an unsecure connection, and repeated violations can cost up to $1.5 million in a single calendar year.
An alternative to SMS
Both of the above points suggest that SMS texting is incredibly efficient, which can be dangerous if and when a provider accidentally sends a text that includes ePHI to the wrong number. However, the Joint Commission recognizes the validity of texting in certain instances provided the healthcare provider had controls in place to ensure the utmost security for the messages. As Dr. Brooks states, instead of dismissing text messaging altogether, the Joint Commission "established Administrative Simplification Provisions (AS) that serve as guidelines for developing secure communication systems." In order to be HIPAA-compliant, the AS must pay strict attention to these 4 areas:
- Secure data center: The server must be physically secured in order for a healthcare provider to be able to use SMS messaging.
- Encryption: Text messages must be encrypted in transit and while at rest to minimize security risks.
- Recipient authentication: The texting solution must be able to verify for the sender that the recipient is correct and when the recipient received the text. Any text that includes ePHI can only be delivered to its intended recipient.
- Audit controls: A compliant messaging system will be able to create audit reports that detail messaging activity for ePHI information.
A standard messaging system will not meet the above requirements, so in order for a healthcare provider to use text messaging, they will need to seek out a secure text messaging solution. If your office does not currently have a secure text messaging solution that meets the requirements set by the Joint Commission, then you need to make sure nobody in your office is sending texts that include ePHI information. For more details on how to keep your office HIPAA compliant, contact us today.