Today's clinicians operate in an increasingly mobile healthcare environment. Under pressure to communicate vital health information quickly, providers often revert to texting using their personal mobile devices—whether or not there's a bring-your-own-device policy. Texting is fast and convenient, but it may not be HIPAA-compliant and could even expose a patient’s sensitive health information.
How secure and compliant are your providers' communications?
To answer that question, let’s go back to basics and examine HIPAA-compliant texting in healthcare settings. What do we mean by HIPAA-compliant texting? And how can physicians, nurses, and other healthcare providers and staff communicate quickly and securely without violating HIPAA regulations?
Are text messages HIPAA-compliant?
The question of whether or not a text message is HIPAA-compliant depends on several factors. If the text in question doesn't contain personal identifiers, it might be HIPAA-compliant. But if the texting platform does not adhere to specific technical safeguards for digital transmission, the text message may be a violation of the federal law.
Standard “short message service” (SMS) and “instant messaging” (IM) text messages often fail to meet HIPAA-compliant texting requirements as well. Someone sending an SMS or an IM text message has no control over the message after it has been sent. Consider just a few of the negatives of allowing providers to use tools that are not HIPAA-compliant for clinical communication:
- It's not hard to mistakenly send messages to the wrong recipient.
- The intended recipient could forward text messages to someone else who isn't authorized to view the information.
- SMS and most IM platforms don't encrypt data, so messages are easily intercepted in transit and viewed.
- Service providers keep copies of SMS and IM messages on their servers indefinitely, potentially viewable by unauthorized individuals.
Based on these examples alone, it's not difficult to imagine the many ways text messaging can fall short of compliance regulations and put electronic protected health information (ePHI) at risk of exposure. This reality, coupled with the potential for monetary penalties for non-compliance, causes grave concern among healthcare administrators and IT departments.
Did HIPAA texting rules change during COVID-19?
During the COVID-19 national health emergency, the Office for Civil Rights (OCR) has temporarily suspended the imposition of specific penalties for non-compliance with HIPAA regulations. In April 2020, the HHS issued notification of enforcement discretion for telehealth remote communications during COVID-19. “Under the notice, covered health care providers may use popular applications that allow for video chats,” according to the OCR. The applications listed in the notice include Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Zoom, and Skype.
Healthcare providers are permitted to use these applications to provide telehealth services during the national health emergency—without the risk that OCR might seek to impose a penalty for non-compliance with HIPAA regulations. However, as an article published on Relias Media pointed out, even with waivers and relaxed requirements in place, the OCR still expects healthcare organizations to maintain stringent protocols for HIPAA-compliant texting and at some point will rescind its temporary waivers.
According to HealthITSecurity, “When healthcare professionals message one another, it most often includes sensitive information. In a healthcare culture that strongly emphasizes care coordination, several physicians may be communicating with one another regarding a specific patient case. Therefore, the messaging platforms on which physicians communicate need to be compliant to patient safety and patient privacy adherent.”
The OCR’s recognition of the need for telemedicine and temporary suspension of specific HIPAA-related penalties underscores the awareness of the heightened demand for alternative provision of service during the global pandemic. The adoption of secure text messaging is growing nationwide as healthcare organizations work to improve patient care and, simultaneously, equip clinicians with tools to enhance communication and collaboration.
Does secure text messaging guard ePHI?
"Secure" text messaging is precisely that: HIPAA-compliant texting capabilities that guard ePHI. Standard features of secure text messaging systems that symplr recommends healthcare systems look for include:
- Message status notifications such as Sent, Delivered, and Read receipts, including timestamps
- The ability for clinicians to create separate threads for each patient, reducing the potential for confusion
- Features for marking a message "urgent" and customized sounds to indicate an immediate response needed
- Automatic reminder notifications sent to recipients for unopened messages after specified times
- The ability to attach high-resolution photos, videos, voice memos and documents
Advanced features should include use of the system’s admit discharge transfer (or ADT messages, typically initiated by the EHR) or a registration application feed to pull more patient data into the thread.
As an article on HealthITSecurity noted, “Secure messaging systems are more than just SMS. Healthcare organizations can authenticate a variety of users onto their networks and also enable secure communication across different sizes and types of providers.” The article further pointed out that healthcare organizations with access to communications records can identify messages containing ePHI and use audit trails to find clinical workflow issues. By reviewing metrics to gauge the impact of their secure messaging systems, healthcare leaders glean valuable insights. And according to a MedCityNews article, “Practice managers and technologists should ensure that any secure communications platform includes an audit trail to monitor who sent what and when, with information encrypted while at rest and in transit.”
The rapid exchange of vital information through means such as HIPAA-compliant texting have proven to improve overall patient care. In fact, the demand for secure messaging in healthcare continues to build in response to the need for swift and secure communication between care team members.
“Secure messaging in healthcare accelerates clinical workflows,” according to The HIPAA Journal. “[It] has been shown to help accelerate patient throughput, reduce the potential for medical errors, increase patient satisfaction, improve clinical outcomes, and significantly reduce costs while ensuring compliance with HIPAA.” To achieve these and other essential goals of value-based care, a growing number of healthcare organizations are reviewing clinical collaboration and communication tools. Many are moving to more sophisticated clinical collaboration platforms (CCPs) in response to increased demand for streamlined communication and workflows, citing factors such as the needs to:
- Maintain HIPAA-compliant texting
- Support higher-level collaboration between clinicians
- Provide easy access to all healthcare communication elements
- Reduce alert fatigue, especially among nurses
HIPAA-compliant texting across the care continuum
We've established that communication technology for care teams is experiencing rapid change. And while an overwhelming number of solutions exist in the marketplace for HIPAA-compliant texting, mobilization of critical alerts, and voice over internet protocol (VoIP) calls, these solutions allow certain care team members to communicate and collaborate. But they don’t necessarily extend across the entire continuum of care, limiting a patient care team’s ability to operate with the most accurate and up-to-date critical information. Working without this data can lead to unnecessary and often redundant tests, potentially causing delays in patient care.
Certain clinical collaboration platforms have proven successful in extending secure text messaging to all care team members. For example, symplr Clinical Communications customers use our comprehensive role-based messaging system, coupled with our Patient Care Coordinator functionality, to ensure that care teams are apprised of the latest updates in a patient’s health information. symplr Patient Care Collaboration attaches basic patient information directly to each message thread and allows team members to quickly see who else is on the team, their status, and promptly start a team message.
How to address the need for HIPAA-compliant texting
There is no clear end date in sight for the COVID-19 national health emergency, as mutations proliferate and vaccinations and boosters continue to be administered. Healthcare organizations remain under enormous pressure to respond to current healthcare demand on top of virus surges. The use of telehealth is expected to continue, and even to grow, after the emergency has been lifted.
Under these circumstances, maintaining HIPAA-compliant text messaging is both practical and essential, despite the short-term relaxation of some of the HIPAA regulations governing telehealth practices. One of the most expedient and cost-effective ways to maintain compliance and avoid violations is to deploy a clinical collaboration platform with features and services that support HIPAA-compliant messaging for teams and individuals. A secure, HIPAA-compliant text messaging platform is no longer optional in today’s fast-paced and demanding healthcare settings. 