An ePHI-less text message.
Are vendors of secure text-messaging technology trying to sell people a bridge in Brooklyn, or is there a loophole in the somewhat outdated HIPAA privacy and security regulations that few have taken advantage of? The answer is unclear.
Dr. Michael Koriwchak, an otolaryngologist in Atlanta, raised the question last week on his Wired EMR Practice blog by calling secure texting both expensive and unnecessary. “How do you get a marginal product to sell? Either have the government make people buy it (Meaningful Use) or use marketing sleight of hand to create the illusion of a legal imperative,” Koriwchak writes.
“My inbox has been inundated with ads: ‘Don’t get caught texting [protected health information]! Buy our secure texting product today!” he notes.
Koriwchak says vendors were making their case by relying on a $100,000 settlement the HHS Office for Civil Rights reached with an Arizona cardiology practice that was lax in securing electronic PHI. “The incident giving rise to OCR’s investigation was a report that the physician practice was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible. On further investigation, OCR found that Phoenix Cardiac Surgery had implemented few policies and procedures to comply with the HIPAA Privacy and Security Rules, and had limited safeguards in place to protect patients’ electronic protected health information (ePHI),” according to an HHS press release.
Information made public about the case said nothing about text messaging, but Koriwchak writes, “many secure texting vendors have cited this settlement as evidence that the Feds are prosecuting providers for texting PHI.”
The HIPAA privacy and security regulations were written during the Clinton administration and finalized in the early days of the George W. Bush presidency. SMS was around then, but was not widely used in the U.S. CTIA, the wireless industry association, reports that Americans sent 258.2 million texts a month in 2001, a figure that ballooned to 18.7 billion in 2006 and 193.1 billion by the end of 2011.
OCR spokeswoman Rachel Seeger tells MobiHealthNews in an e-mail that HIPAA privacy and security rules “do not expressly prohibit” sending electronic PHI by text or over the Internet—meaning by e-mail—but the security standards “require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against unauthorized access to e-PHI.”
Another section of the security rule lists standards for transmission security and data encryption. “This means that the covered entity must assess its use of open networks, identify the available and appropriate means to protect e-PHI as it is transmitted, select a solution and document the decision,” Seeger explains. “The security rule allows for e-PHI to be sent over an electronic open network as long as it is adequately protected.”
But it may be difficult to determine if SMS networks are adequately protected. “It is widely accepted that every text has at least 3 copies: the sender phone, the receiver phone and one or more copies on the telecom servers involved in the transmission. The first 2 clearly exist. But has anyone verified current practices among telecom providers regarding server storage of text messages?” Koriwchak wonders. “There is no credible source that clearly documents what those practices are. Many providers and IT folks also intuitively believe that text messages can be easily monitored/intercepted remotely.”
Koriwchak referred to a November 2011 directive from the Joint Commission: “No it is not acceptable for physicians or licensed independent practitioners to text orders for patients to the hospital or other healthcare setting. This method provides no ability to verify the identity of the person sending the text and there is no way to keep the original message as validation of what is entered into the medical record.”
This, according to the blogger, does not raise the issue of privacy, which is an integral part of the OCR settlement with Phoenix Cardiac Surgery. “The two issues it does raise, identity verification and documentation in the medical record, are not solved by secure text products,” Koriwchak contends.
He further suggests that the Joint Commission policy should apply to telephone conversations because, Koriwchak says, “the voice of a caller cannot be objectively identified, and voice conversations are not preserved for the record either.”
Koriwchak then says that the federal government has never investigated any provider, payer, clearinghouse or other HIPAA covered entity for texting PHI, “although the secure texting vendors would like you to believe otherwise.” He also claims that there have been zero documented breaches of PHI related to texting.
OCR spokeswoman Seeger says the office “may have had a few complaints in this area.” However, the majority of breaches affecting at least 500 individuals have been due to loss or theft of hard drives, laptops, USB drives and other hardware, according to Seeger. All breaches must be included in annual reports, but any breach involving at least 500 people must be reported within 60 days. (Correction: The original story incorrectly stated that only breaches that affected 500 or more individuals had to be reported to HHS.)
“The few cases we have seen involving hacking highlight the importance of backing up information systems,” Seeger says. She recommends firewalls and encryption at the enterprise level to help prevent unauthorized access to PHI.