As the possibilities for electronic communication continue to expand with great speed, use of the technology by hospital employees and physicians without adequate security can expose your facility to HIPAA violations. The increasing use of cell phones and texting as an alternative to voice conversations or e-mail presents real risks for security failures leading to HIPAA violations.
Use of text messaging to physicians on the rise
Some hospital systems now use e-mails instead of the past pager method to notify physicians to contact the hospital about a patient. The e-mails are entered by the hospital employee, converted into a text message and sent to the physician's cellular phone. Physicians frequently request that more patient data is included in the message, such as the patient's name and room number, so the physician can look up the chart prior to returning the call. This system is frequently not encrypted, however, because of the extra expense to the hospital. Some hospital employees may even send text messages directly from their personal cell phone to the physician's personal cell phone to ask for medication orders, instructions, clarification of orders and the like.
Potential HIPAA violations
In both scenarios described above, hospital security systems are not used since the messages go to and/or from personal cell phones. Unless the text messages are protected by the hospital's security system, both practices would be in violation of the HIPAA rules and can have additional consequences in other areas. Clearly, both practices include protected health information under HIPAA, since patients' names are used, rather than a chart number or other non-personal identifying method. Although the use of the PHI without an authorization is permitted under the Privacy Rule of HIPAA for treatment, payment or operations, the use must also meet the Security Standards of HIPAA.
The Security Standards require Covered Entities to (1) ensure the confidentially, integrity and availability of the information; (2) protect against any reasonably anticipated threats or risks to the security or integrity of the information; and (3) protect against unauthorized uses or disclosures of the information. The Technical Standards specifically require a covered entity to address transmission security, implementing technical security measures to guard against unauthorized access to PHI that is being transmitted over an electronic communications network. The security standards add that specifications to implement transmission security include both integrity controls and encryption.
The National Institute of Standards and Technology, in "Guidelines for Cell Phone and PDA Security," has stated that special risks apply to mobile devices, which includes cell phones. The risk level is deemed high for loss, theft, or disposal and for unauthorized access. NIST cites that most cell phone users seldom employ security mechanisms built into a device or often apply settings that can be easily determined or bypassed. HHS cites data storage and transmission as potential risk areas. Text messaging appears to be particularly vulnerable, as text messages are not automatically encrypted when they go from cell phone to cell phone, and the messages may be stored either on a smart phone computer or on the SIM card in the cell phone, unlike a voice conversation.
Even if the risk of accessing the information in transit may not be considered high by the physicians (or the hospital), there is a high risk of unauthorized access, loss or theft of the cell phone with the information inside. Therefore, there is a considerable risk that transmission of PHI in this manner would be considered unsecured in an audit by the Office of Civil Rights, which is responsible for HIPAA enforcement actions. In the second scenario described above, which involves not only texting the patients name, but also orders from a physician to a hospital employee, additional non-HIPAA problems will occur. As with a telephone or verbal order, the substance of the communication between the nurse and physician must be charted in the chart and noted as a text message. If a malpractice case involves that order, the plaintiff's lawyer could get access to both parties' cell phones through the e-discovery rules.
In summary, even though the convenience of texting is appealing to hospital employees and physicians, texting in both situations is not advisable without additional encryption applications. This should be made clear in hospital policies and education sessions, and encryption software or applications should be applied to cell phones where possible.
CHIME: HIPAA Privacy Rules Need Reconsideration
HHS Displays Interim Final Rule for HIPAA Transaction Standards
Use of text messaging to physicians on the rise
Some hospital systems now use e-mails instead of the past pager method to notify physicians to contact the hospital about a patient. The e-mails are entered by the hospital employee, converted into a text message and sent to the physician's cellular phone. Physicians frequently request that more patient data is included in the message, such as the patient's name and room number, so the physician can look up the chart prior to returning the call. This system is frequently not encrypted, however, because of the extra expense to the hospital. Some hospital employees may even send text messages directly from their personal cell phone to the physician's personal cell phone to ask for medication orders, instructions, clarification of orders and the like.
Potential HIPAA violations
In both scenarios described above, hospital security systems are not used since the messages go to and/or from personal cell phones. Unless the text messages are protected by the hospital's security system, both practices would be in violation of the HIPAA rules and can have additional consequences in other areas. Clearly, both practices include protected health information under HIPAA, since patients' names are used, rather than a chart number or other non-personal identifying method. Although the use of the PHI without an authorization is permitted under the Privacy Rule of HIPAA for treatment, payment or operations, the use must also meet the Security Standards of HIPAA.
The Security Standards require Covered Entities to (1) ensure the confidentially, integrity and availability of the information; (2) protect against any reasonably anticipated threats or risks to the security or integrity of the information; and (3) protect against unauthorized uses or disclosures of the information. The Technical Standards specifically require a covered entity to address transmission security, implementing technical security measures to guard against unauthorized access to PHI that is being transmitted over an electronic communications network. The security standards add that specifications to implement transmission security include both integrity controls and encryption.
The National Institute of Standards and Technology, in "Guidelines for Cell Phone and PDA Security," has stated that special risks apply to mobile devices, which includes cell phones. The risk level is deemed high for loss, theft, or disposal and for unauthorized access. NIST cites that most cell phone users seldom employ security mechanisms built into a device or often apply settings that can be easily determined or bypassed. HHS cites data storage and transmission as potential risk areas. Text messaging appears to be particularly vulnerable, as text messages are not automatically encrypted when they go from cell phone to cell phone, and the messages may be stored either on a smart phone computer or on the SIM card in the cell phone, unlike a voice conversation.
Even if the risk of accessing the information in transit may not be considered high by the physicians (or the hospital), there is a high risk of unauthorized access, loss or theft of the cell phone with the information inside. Therefore, there is a considerable risk that transmission of PHI in this manner would be considered unsecured in an audit by the Office of Civil Rights, which is responsible for HIPAA enforcement actions. In the second scenario described above, which involves not only texting the patients name, but also orders from a physician to a hospital employee, additional non-HIPAA problems will occur. As with a telephone or verbal order, the substance of the communication between the nurse and physician must be charted in the chart and noted as a text message. If a malpractice case involves that order, the plaintiff's lawyer could get access to both parties' cell phones through the e-discovery rules.
In summary, even though the convenience of texting is appealing to hospital employees and physicians, texting in both situations is not advisable without additional encryption applications. This should be made clear in hospital policies and education sessions, and encryption software or applications should be applied to cell phones where possible.
Related Articles on HIPAA:
AHIMA, MGMA: HIPAA's "Accounting of Disclosures" BurdensomeCHIME: HIPAA Privacy Rules Need Reconsideration
HHS Displays Interim Final Rule for HIPAA Transaction Standards