HIPAA lets providers text patients, but is it secure?

As texting between patients and providers becomes more common, it’s imperative that providers consider the right platform to use and other security features to protect patient data.
By Laura Lovett
Share
Doctor texting.

Texting between doctors and patients has become more commonplace in recent years. But before the two parties start sharing every intimate detail, experts urge providers to take a step back and consider security.

HIPAA guidelines

HIPAA permits “readily producible”private health information to be transferred to a patient through their preferred medium, as long as the provider can do so in a way that wouldn’t present an “unacceptable level of security risk” to PHI.

But a lot of regulations comes down to patient consent and their understanding of the risks involved with texting with a provider.

“When it comes to texting with a patient, if a patient understands the risk of the unsecured communication and consents to communicating in that manner, then the provider can communicate in that manner,” said Erin Whaley, a partner at Troutman Sanders law firm and HIPAA specialist.

“We do recommend the provider limit the amount of PHI through text, just to limit the risk,” she added.

While texting between doctor and patient is allowed in healthcare, there are certain steps that providers need to take before shooting a patient a text about their health.

“The HIPAA Privacy Rule always allows healthcare providers to disclose or send PHI to patients,” David Holtzman, VP of compliance strategies at CynergisTek, wrote in an email. “Healthcare providers considering sending communications email and SMS text messages to patients that contain identifiable health information should pay attention to the technical safeguard requirements of the HIPAA Security Rule.”

Organizations have to ensure PHI in the message is only accessible to those authorized to view it, use technologies that can monitor who is authorized to access the messages, require users to have a PIN, use technology able to prevent PHI from being destroyed or altered and be encrypted if sending the information outside of the health system, he explained.

But security also involves the human factor. One of the major pitfalls is how users secure — or in some cases do not secure — their messages. This means providers need to be particularly aware of ways to secure their smartphone.

“The provider has to think about the other security mechanisms and other ways they can mitigate risk with that device,”  Whaley said. “For instance when you send a text message that remains on your phone — if your phone is stolen all of those texts can be accessed.”

“The provider should think about how long are they storing those messages on their phone, and it has to be password protected,” she continued. “They want to look at ways to remotely wipe their phones if they are stolen. There are programs out there you can download on your phone, and if the password is incorrect three times, your phone is automatically restored to [default] setting.”

Authentication, both on the patient and provider side, is a major hurdle in ensuring secure messaging.

“My company MedCrypt does medical device cybersecurity. We did an analysis of the the cyber security vulnerabilities that vendors have disclosed in 2013 and found that 60 percent of disclosures related in one way or another to user authentication,” said Mike Kijewski, Medcrypt CEO. “That has been a very common theme where there is a hard-coded username and password — where someone could grab another patient’s phone and log in.”

Proceed with caution

Communicating with patients by normal email and SMS is risky, Holtzman said, as these aren’t secure platforms. There are more and more vendors now providing speciality services for providers to go back and forth with patients.

Some hospital systems and providers are now turning to these platforms. But what should providers be looking for in these services?

“When healthcare providers seek to send PHI through email or text messaging, care should be taken to utilize services that can demonstrate that their technology applies the technical safeguards required to protect identifiable health information,” said Holtzman.

The right vendor will provide detailed product specifications on the “technology safeguards that limit access to authorized individuals, authenticate users with a unique identity and password, protect the integrity of email and text messages containing PHI, encrypt transmissions to prevent unauthorized access, and enable monitoring to review how authorized users are accessing the PHI,” he explained.

Encryption is key, Whaley said. And it’s important to look at the vendors’ HIPAA compliance history and examine their understanding of the law.

The game also changes when clinicians text with other clinicians. In this situation, clinicians don’t have patient consent to send unsecured texts. So Whaley said it’s best practice to use secure messaging systems in this situation.

Other considerations

But for many providers, security and reliability goes beyond meeting legal obligations. Some see security as a safety topic.

“Something we’ve spent a lot of time thinking about, that isn’t as commonly discussed as the HIPAA compliant issues, is the patient safety ramifications of the cybersecurity internet, either of a medical device or a mobile app that is using data,” Kijewski said.

For example, a mobile app that can gather patient heart rates and stores the data over time, which can be sent later to a provider for analysis, explained Kijewski.

“It might not be the end of the world if someone can read your heart rate values, but one of the concerns is: What if someone modifies those values so that it looks like a patient's heart rate was doing something that it wasn’t?” he said. “The clinician can make the wrong judgement call based on the data. So we spend a lot of time thinking about the providence of the data.”

But in addition to just keeping information safe, patients can expect certain health information to be securely uploaded to their EHR when they text with a provider.

“HIPAA gives the patient the right to access and amend a designated record set,” Whaley said. “If a patient is texting information to a physician, and a physician is relying on that information to treat the patient, then that is arguably part of the designated record set to which the patient has an access right and an amendment right.”

“If the physician doesn't incorporate that into the record, and it’s sitting on the phone, then the patient isn’t going to have access to the phone when he or she makes the access request,” she continued. “Providers need to think about what part of those messages needs to be incorporated into the EHR.”

The same applies from a liability standpoint, if a provider relies on data from the text message to make a treatment decision,” Whaley explained. “[They’ll] want to document that in their EHRs, if there, heaven forbid, be any [unfortunate] circumstance.”

While there are several questions how to best implement texting in healthcare, Holtzman said education is key.

“Modern workplaces rely on the bring-your-own-device principles, meaning that most users use their personal mobile devices to access sensitive information,” Holtzman wrote. “There are technical controls that can be used via Exchange, O365, and other mobile device management solutions.”

“However, nothing will ever replace well-educated users who understand the risks and how to avoid allowing new applications access to sensitive data like email, contacts and the like,” he added.

And that education may be essential as some professionals see texting as the way of the future.

“I think we will continue to see it evolve in this area because texting is so ubiquitous and easy,” Whaley said.

Focus on Cybersecurity

In October, we take a deep dive into security strategy and pressing threats.