Health IT Pulse

Nov 16 2015   6:16PM GMT

Lawyer suggests strategies to avoid texting risks with PHI

Shaun Sutner Shaun Sutner Profile: Shaun Sutner

Tags:
HIPAA
HIPAA business associate
HIPAA Compliance
HIPAA security
PHI
PHI encryption

Healthcare providers and their business associates are fast getting hip to the reality that it’s not OK to text protected health information (PHI).

Not only does unsecure texting of PHI run afoul of HIPAA privacy rules, but it’s also just too easy for texted PHI to be stolen, hacked, leaked or lost unless it is not safeguarded.

Lawyer Lisa Thompson of the LeClairRyan law firm amply underscores that message in a recent post on the Richmond, Va.-based firm’s blog.

Thompson notes that texting is popular for many reasons. It’s “easy, fast and efficient,” she points out. It’s also considerably less cumbersome than email, and you don’t need a computer to do it.

But for healthcare providers, all this convenience can be dangerous and can lead to unauthorized access to PHI, Thompson emphasizes.

Among the dangers:

  • Anyone with physical access to the mobile device can view text messages on it
  • Texts can be read when the device is lost, stolen or even returned or recycled
  • Traditional security protections used by IT departments of HIPAA-covered entities, such as firewalls, may not cover texts, and so texts can be intercepted and decrypted

Another problem is that HIPAA also mandates that patients and their representatives, such as lawyers and families, have timely access to their health records. Thompson astutely notes that when texts are used in healthcare decision making, providers could be out of compliance with HIPAA if patients ask for the texts in question and providers can’t turn them over.

Thompson acknowledges that there is no easy response to these risks.

However, at the least, providers and business associates should include mobile phones and other devices on which PHI is created, transmitted, received and maintained in text form in any risk analysis, a step that HIPAA requires.

The clearest path to protecting texts in healthcare settings is by using secure texting technology, many in health IT say.

Indeed, secure messaging is one of the strategies Thompson lists for combatting the potential scourge of unprotected texts that contain PHI.

Others steps include:

  • Establishing policies that require all texts to be deleted with a specified time period
  • Using technology that can wipe information from devices or remotely disable mobile phones if they are lost or stolen
  • Providing encryption and password protection
  • Setting policies and guidelines that limit information contained in texts, such as not using patient names or other identifiers
  • Requiring texted PHI to be added to formal health records and providing a technological mechanism for doing so
  • Training employees on texting policies and procedures
  • Handing down disciplinary measures for employees who violate texting policies

Healthcare providers would do well to heed Thompson’s advice.

1  Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.
  • qliqsoft
    It's always good to find flaws in PHI so it can be improved better but yeah physical access is still a threat which is hard to avoid.
    20 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: