There are no government regulations specific to text communication between patient and provider. As such, the same general rules for privacy and security that apply for any other phone texting exchange hold for texting about a patient or directly with a patient. To address the implications of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the privacy rule restricts who has access to protected health information (PHI), while the security rules loosely define parameters for preventing breach of PHI.
In any communication between patient and provider, both parties should presumably have access to any PHI—satisfying the privacy rule. However, an important consideration is ensuring that the 2-way communication by text message is actually between the intended parties. In other words, be certain that your messages are reaching only the desired recipient.
HIPAA compliant HL7 Messaging |
Establish PHI Privacy Safeguard
In general, it is advisable to ensure that privacy is maintained by confirming the patient’s identity and desire to communicate by text message prior to engaging in an initial text communication. You might have your first message exchange with the patient in clinic, for example. At that time, you can ask if others have access to the patient’s mobile device and gain assurance that the patient is comfortable with the level of security afforded by text messaging.
If communication is ever initiated by an unknown contact, you should not share PHI until you have confirmed the identity of the person face to face or by phone call to be certain that the unknown contact is, in fact, the patient or someone the patient has indicated may communicate directly with you and that patient wishes to communicate by text message.
Under these circumstances, it is of utmost importance that the patient has an expressed desire to use phone texting to communicate about ongoing medical care, and is comfortable receiving and sending texts rather than more traditional forms of communication. However, this does not necessarily mean that security standards under HIPAA will have been met.
Employ Safe Harbor De-identification
As defined by HIPAA, covered entities (ie, providers, institutions, etc) are expected to use “appropriate administrative, physical and technical safeguards” to ensure privacy of PHI.1 This description is vague and implies technological neutrality. In other words, HIPAA does not require, and the US Department of Health and Human Services does not endorse, any specific technology or security standards for the protection of PHI.
Therefore, providers may use any level of encryption, along with other technological (eg, operating system passwords) and physical (eg, screen shields) methods to enhance protection against an information breach.2 While the vague description may seem cumbersome, there is an easier method to maintain HIPAA security rule compliance: de-identification.
If you remove all personal identifiers (Table) from the information you are transmitting, than you are providing sufficient and appropriate privacy and security measures under the Safe Harbor method.4 Under HIPAA, the Safe Harbor rule lists 18 personal identification markers that should be eliminated from any communication to prohibit the possibility of a person’s identity being linked to original data.4 When information contains no specific identifying information (ie, de-identified), it is no longer “protected” health information under HIPAA. De-identification of any transmitted information is surely the safest, least expensive, and most effective means for maintaining compliance, particularly if a patient has initiated the communication and identified text messaging as a preferred means of communication.
Take All Necessary Safety Precautions
Since patients may not be aware of HIPAA rules, it is reasonable for you to inform your patients of potential concerns (eg, that you are not using advanced security features in the communication) when they initiate or transmit their own PHI. However, you are responsible for the information that you transmit or disclose. In effect, any PHI on your device is your responsibility, and therefore, you should optimize features and practices such as operating system passwords, remote phone deactivation, deleting of old messages from the device (and storage/backup systems), and disabling message previewing.
For the most part, text messaging should be considered safe and effective. There are many ways that texting can improve communication between physicians and providers, and improve patients’ access to healthcare at little or no cost to them. In general, providers can maintain Security Rule compliance by avoiding the use of PHI in messages. However, this should not preclude much of the dialogue that is “text appropriate.”
A message like “are you feeling any better?” has minimal risk to patient or provider. Conversely, it is quite obvious that you should not be transmitting messages like “Your viral count is down.” Clearly, if benign communication becomes sensitive or worrisome during a text exchange, then this should prompt a switch to a telephone call or, if necessary, schedule an office visit.
Ultimately, all levels of security can be breached—consider that both the US Department of Defense and Central Intelligence Agency have been hacked within the last 2 years. If hackers want to break into a secure messaging system, they will. Therefore, clinicians would be best served to remove all identifiers from all messages, all the time, and limit use of text messaging for routine, benign communication with patients.
Source
No comments:
Post a Comment