In 2012, approximately 184.3 billion text messages were sent each month in the United States, an increase from 28.9 billion a month just five years before. And every day more physicians and other healthcare providers are exchanging clinical information through a wide range of modes – including smartphones, pagers, CPOE, e-mails, texts and messaging features in an EMR. So it’s no surprise that hospital and health system leaders are honing in on securing protected health information in electronic form (ePHI).
At the same time, changes in HIPAA regulations released earlier this year (as well as misleading hype from vendors) have made HIPAA compliance more important and yet more challenging. Delays in addressing the issue can result in expensive legal fees and settlements, divert resources and staff from other important activities, tarnish an organization’s reputation and, most critically, undermine patient trust.
It’s time to set the record straight on secure communications.
Time and time again I see health systems looking to implement stopgap measures and point solutions that address part – but not all – of a problem. And how some in the industry are approaching the security risks associated with electronic communication is no different. Tackling secure texting in and of itself it not enough. In order to identify all potential areas of vulnerability, healthcare leaders need to consider ALL mechanisms by which ePHI is transmitted – and the security of those mechanisms and processes.
Texts are commonly sent between two individuals via their mobile phones, but the communication “universe” into which a text enters is actually much bigger. It also includes sending messages from mobile carrier websites, web-based paging applications, call centers, answering services and switchboards. For example, a nurse might create a message by logging onto the website of a mobile carrier. The message may be sent via an unsecure network to a pager or via SMS to a physician’s mobile phone. A pharmacist might telephone a call center with a message for a physician; the call center agent might then create an electronic message that is then sent to the physician via an unsecure network. In addition, voice messages that include PHI may be stored on mobile phones or on a carrier’s server – in some cases without sufficient security protections. If these messages contain ePHI and are transmitted through unsecure networks or stored in an unencrypted format, they represent a potential security risk.
We’ve all heard the buzz in the market about secure text messaging, but health systems need to realize that texting or any other mode of communication can’t be viewed in isolation. By failing to address all transmitted ePHI, organizations become vulnerable to security breaches with adverse legal and financial consequences, as well as loss of patient trust and reputation in marketplace.
Safeguarding all electronic communication of PHI
HIPAA provisions emphasize the risk management process rather than the technologies used to manage risk, so for hospitals and health systems the pathway to safeguarding electronic communication of PHI lies in the creation of an overall risk management strategy. Ideally, leaders of the covered entity (CE) will form an information security committee to develop and execute the strategy, which includes representatives from IT, operations, the medical staff and nursing, as well as legal counsel. Leaders should also consider including an external security firm in the group. Once the committee is formed, the organization should take the four essential steps for protecting the security of ePHI.
Step 1: Conduct a formal risk analysis. Whether conducted internally or outsourced to an external consultant, this step is critical, and it must include inquiry about the types of technology used for electronic communication as well as the transmission routes for all ePHI. To ensure HIPAA compliance, ePHI transmitted across all channels must be “minimally necessary,” which means it includes only the PHI needed for that clinical communication. The assessment should also evaluate the strength of the administrative, physical and technical safeguards currently in place.
Step 2: Develop an appropriate risk management strategy. Once the analysis is complete, the committee should develop a risk management strategy that’s specific to the needs and vulnerabilities of the organization and is designed to manage the risk of an information breach to a reasonable level. HIPAA does not specifically define “reasonable,” but in general, the risk management strategy should include policies and procedures that ensure the security of message data during transmission, routing and storage. The strategy should also include specific administrative, physical and technical safeguards for ePHI.
Decisions about safeguards will require the committee to consider the limits that will be imposed on electronic communication of PHI. The committee should develop detailed written policies regarding permitted staff behavior when communicating ePHI, including required actions in the case of a suspected breach (e.g., contacting oversight agencies, patients and media, and consequences for employment status). It’s also critical for the group to determine processes for creating an audit trail of messages that includes the sender, receiver, date and time to provide the information necessary for accounting and reporting in case of a breach.
Step 3: Implement policies and procedures and train staff. Implementing new policies and procedures is the biggest challenge for organizational leaders, especially as a substantial proportion of reported security breaches are due in part to insufficient training of staff. As a result, appropriate individuals should be assigned specific implementation tasks for which they are held accountable, while leaders and committee members must carefully monitor the success of implementation. All staff with access to PHI must be educated about the specific policies and procedures, and training should be included during new hire orientation and on a regular basis (e.g., annually) for other employees.
Step 4: Monitor risk on an ongoing basis. To ensure continued compliance with security standards, organizations must conduct ongoing monitoring of their information security risk. Leaders should receive regular trend reports from the information security committee based on an ongoing assessment of ePHI security at the organization. They should ensure the ongoing assessment of security needs as technology and healthcare delivery change – for example, in response to the greater care coordination required with accountable care.
HIPAA provisions do not include detailed regulations around specific electronic communications like text messaging, making a “HIPAA-compliant texting application” a misnomer. Instead, HIPAA requires that CEs complete a risk assessment and implement policies and procedures to manage the risk of an information breach to a reasonable level. In today’s increasingly complex healthcare environment, analyzing and implementing a broader policy around security across all forms of electronic communications, rather than focusing on any one mode of communication in isolation, and following the steps above will be critical to any health system’s ability to avoid and mitigate the adverse consequences of a breach.
Terry Edwards is CEO of PerfectServe, a Knoxville, Tenn.-based developer of voice, online and mobile clinical communication services for healthcare providers.