Jim Sheldon-Dean has worked in HIPAA, health information privacy, and security regulatory compliance for 23 years. He speaks about HIPAA at conferences, conventions, and private educational sessions. I attended his webinar which discussed HIPAA, texting, and email.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal statute that prohibits the disclosure of patient health information (PHI) without the patient’s consent or knowledge. HIPAA seeks to prevent healthcare fraud by securing PHI and restricting access to health data. It mandates that all HIPAA-covered entities implement safeguards to secure sensitive personal and health information. (Why is HIPPA Important, The HIPAA Journal). HIPAA contains three rules: the privacy rule, the security rule, and the breach notification rule. The privacy rule governs uses and disclosures. The security rule applies to electronic PHI and employs a risk analysis to identify and plan the mitigation of security risks. The breach notification rule mandates that violations of PHI be reported to Health and Human Services (HHS) and the affected individuals.
The HIPAA Breach Notification Rule defines a breach as “an impermissible use or disclosure . . . that compromises the security or privacy of the protected health information.” In the event of a breach, entities must notify the affected individuals and HHS. Privacy breaches have detrimental effects on individuals and organizations. Noncompliant organizations incur penalties and fees, suffer reputational harm, and be subject to potential lawsuits. The exposure of the affected individuals name, address, credit card information, social security number, and medical conditions results in a loss of privacy and the potential for identity theft.
Patients and providers in healthcare are increasingly communicating through email and text messaging. Many patients prefer email or text messaging because it is a quick and convenient way for managing appointments, receiving test results, and asking healthcare related questions. Providers also prefer email and text messaging to access patient information, communicate with hospital staff, and maintain an appointment calendar.
While texting may be convenient in healthcare, it also has many shortcomings. Most importantly, there is an increased risk of violating HIPAA. Email and text messaging are insecure forms of communication that may be accessed or exposed by unknown third parties. Furthermore, there is no straightforward method for physicians to document the email or texting encounter. Finally, the inability to prioritize incoming text messages, may result in a crucial test result sitting in the patient’s inbox for more than 24 hours.
To reduce the risk of breach, organizations and providers must remain flexible. Organizations should provide and promote the use of secure communication solutions. Hospitals should educate staff on the dangers associated with plain email and explain what should not be sent through email or text message. There are also secure private emails and secure text messaging applications that can be used to safeguard communications of PHI. Cortext by Imprivata, TigerText, DocHalo are some secure text messaging and email options physicians can use. Lastly, it is essential for organizations to implement policies and procedures governing the use of email and text messaging. These policies should include a risk analysis, a process for approving and monitoring uses, guidelines for acceptable email and text messaging interactions, and the identification of secure services.
Overall, organizations should facilitate and try to comply with patient requests as much as possible. Patients have the right to choose their preferred mode of communication, even if it is an insecure method. However, providers should explain the risks associated with insecure communication methods, obtain the patient’s consent, and notify those with whom the patient communicates of their preference. Having policies in place will enable physicians to document and manage these requests appropriately.
In conclusion, email and text messaging are inherently insecure forms of communication. Even if individuals have a right to use insecure means of communication, they must be informed of the potential for security breaches. Recognizing the inevitability of these communications, healthcare organizations should implement policies addressing email and texting, and ensure these modes of communication are HIPAA compliant.