October 1, 2013
Volume 77, Number 10
Texting, Safety and Privacy
Jaidepp Mehta, M.D.,
M.B.A.Committee on Electronic Media and Information Technology
Peter Vincent Killoran, M.D.
The rapid adoption of smartphones and text messaging has created new ways for individuals to communicate. The instantaneous delivery of messages with the opportunity for asynchronous communication has the potential to transform communication between clinicians. However, standard text message technology does not meet the standards and rules for privacy and security required by the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health (HITECH) Act, and the Joint Commission.1-3 Etiquette surrounding the appropriate use of these devices has also not kept pace with the adoption of the technology – not everyone realizes that texts are not secure, nor that messaging a photo of an O.R. schedule is not only inappropriate, but potentially a major HIPAA fine waiting to happen.4 Much like discussing a patient in a crowded elevator or carrying a photocopied O.R. schedule out of the hospital, bad behavior by health care providers can pose significant risks to patient privacy.5
With nearly 6 billion Short Message Service (SMS) and Multimedia Messaging Service (MMS) messages sent each day,6 the odds that someone in your practice or department has transmitted HIPAA-protected information is nearly guaranteed. Until recently, physicians, physician extenders, nurses and support staff have been the most ardent users of the traditional text pager.7 The largest drawback of these devices is that the majority of them are limited to one-way communication, which limits their ability to facilitate acknowledgement of receipt and elicit an appropriate response. With the pervasiveness of smartphones that support text and multimedia messaging and the low cost of unlimited access to this method of communication, it should come as no surprise that many consider it their preferred method of sending and receiving real-time workflow information.
Physician adopters of texting in the workplace can argue the technology lends itself to shortening response times, allowing for multiple decision-makers to participate in a dialog, while also enabling quick communication of lab and imaging results.8 However, it may be the elimination of the need for a call back that makes texting so alluring. There is no more valuable tool than one which allows the quick and easy relaying of time-critical information, whether it is a case assignment change or a change in a patient’s health status. The power of these messaging services is in its ability to allow asynchronous communication, as providers are often engaged in other activities that require their focus and additional messages can wait. Unfortunately, if that information sitting on a locked smartphone screen and a preview of its contents contains electronic protected health information (ePHI) as employed by standard text messaging platforms, a significant HIPAA violation could result. Even one violation can carry a fine of $50,000.9 Extrapolate that to the cost of one photograph of an O.R. schedule that contains dozens of names, medical record numbers and procedures, and the fine could be in the millions of dollars very quickly.
The ease of access comes at a cost. Specifically, standard SMS and MMS messages fail to meet the standards defined by Health and Human Services’ (HHS’) recent Administrative Simplification Provisions (ASP).10 The ASP recognized the pitfalls of the current mobile providers messaging standards and laid out four areas they believe are essential to compliance. Specifically, systems that are compliant with the ASP must encrypt data in-transit and on the device, authenticate the recipient, utilize secure data centers, and provide for archiving, retrieval and monitoring.
Most of the security standards laid out in the ASP are elements of a secure software system that many medical providers would rather not have to worry about – but understanding why they exist is important. To most, requiring encryption both in-transit and on the device makes immediate sense. No one would purchase an item off a website if they knew that their credit card would be transmitted in clear text that even a novice cyber-thief could capture. Yet text messages are transmitted on a telecommunication providers’ open wireless network and they are relatively easy to penetrate.11 Knowing that credit card information is highly valuable, website providers instituted the Secure Sockets Layer (SSL) protocol. Similarly, most secured messaging providers use SSL to encrypt the messages they transmit, while many use the more sophisticated 256-bit version of Advanced Encryption Standard (AES) encryption technology to secure that information on the device. By leveraging both of these encryption technologies, secured messaging providers are able to provide a secured, closed channel for delivering sensitive ePHI to and from mobile devices. Physical security at a data center might also seem intuitive to providers whose profession mandates workers carry secured area access identification cards at all times, but is not something that traditional telecommunication providers have invested in. Lastly, audit control requirements, while arcane functions to the average provider, are core to an organization’s ability to validate who accessed a message and their authority to do so.
With many cell phone users acknowledging they have sent a text message to the wrong person, it quickly becomes clear why the ASP requires authentication of the recipient and a method by which to recall and delete a message, even after it has been read. Software vendors in the secured messaging arena initially attempted to reduce the likelihood of misdirected messages by limiting contacts within their applications to individuals listed in corporate directories. This greatly limited their utility early on, as many providers interact with support staff outside of the provider group, such as the billing, nursing or hospital administration. Secured messaging providers have now recognized that major limitation and are offering solutions to this dilemma by allowing users to incorporate a subset of private individuals into the application, but this is often a manual process requiring users to enter each recipient’s cell number or email address. While not an elegant solution, it definitely expands the universe of possible users and makes these product platforms that much more likely to be utilized.
Before an organization rushes out to sign a contract for a new secured messaging platform, it needs to consider its decision criteria. The most important of these must be the “Ease of Use” of the product and whether it fully complies with the security and privacy requirements set out by the HITECH Act, HIPAA and the ASP. Information technology decision-makers should engage multiple providers to assess whether core functionality seems intuitive and robust enough for the provider’s needs. Vendors including DocbookMD®, PerfectServe® and TigerText® will all claim to accomplish all the requirements, but at varying costs and significantly varying degrees of usability.
When implemented correctly, secured messaging platforms can greatly improve the workflow and daily experience for providers by offering timely updates and enabling rapid responses to changing conditions. Providers can receive workflow and patient updates in a secured fashion, while the individuals sending these messages can rest assured their message reached the intended recipient. While orders sent via a text message will never be acceptable,3 receiving a notification via a secure messaging application and allowing the provider to enter an order or to review the full set of lab results that raised concern at their convenience may allow for more efficient use of the provider’s time. These types of asynchronous interactions enable providers to parse their valuable time and deal with whatever is at hand, regardless of whether they or their patient is in the O.R., PACU or outside the perioperative suite.
Metcalf’s Law states the value of a telecommunications product increases with the size of its network.12 For a HIPPA-compliant messaging platform, this suggests success will be measured by the rate of adoption and the size of the user base. Such adoption will only occur with a robust, easy-to-use product, complete with out-of-the-box connectivity and extensibility that improves a clinician’s clinical workflow.
Jaideep Mehta, M.D., M.B.A. is Assistant Professor, Department of Anesthesiology, and Chief of Acute Pain Medicine, UTHealth, Houston, Texas.
Peter Vincent Killoran, M.D., M.S. is Assistant Professor, Department of Anesthesiology and School of Biomedical Informatics, UTHealth, Houston, Texas.
1. HIPAA: Health Insurance Portability and Accountability Act. AMA website. http://www.ama-assn.org/ama/pub/physician-resources/solutions-managing-your-practice/coding-billing-insurance/hipaahealth-insurance-portability-accountability-act.page. Accessed August 15, 2013.
2. Summary of the HIPAA privacy rule. U.S. Department of Health & Human Services website. http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html. Accessed August 15, 2013.
3. Standards FAQ details: record of care, treatment, and services (CAMH / hospitals), texting orders. The Joint Commission website. http://www.jointcommission.org/mobile/standards_information/jcfaqdetails.aspx?StandardsFAQId=401&StandardsFAQChapterId=79. Published November 10, 2011. Accessed August 15, 2013.
4. Greene AH. HIPAA compliance for clinician texting. J AHIMA. 2012;83(4):34-36.
5. Answer to your question: Can you use texting to communicate health information, even if it is to another provider or professional? HealthIT.gov. http://www.healthit.gov/providers-professionals/faqs/can-you-use-texting-communicate-health-information-even-if-it-another-p. Accessed August 15, 2013.
6. Wireless quick facts. CTIA website. http://www.ctia.org/advocacy/research/index.cfm/aid/10323. Accessed August 15, 2013.
7. Physician and hospital texting is on the rise [press release]. TigerText website. www.tigertext.com/physi¬cian-texting-on-rise. Published October 12, 2011. Accessed August 15, 2013.
8. Brooks A. Healthcare texting in a HIPAA-compliant environment. AAOS Now. 2012;6(8). http://www.aaos.org/news/aaosnow/aug12/managing5.asp. Published August, 2012. Accessed August 15, 2013.
9. Enforcement highlights. U.S. Department of Health & Human Services website. Updated June 30, 2013. Accessed August 15, 2013. http://www.hhs.gov/ocr/privacy/hipaa/enforcement/highlights/index.html.
10. HIPAA administrative simplification statute and rules. U.S. Department of Health & Human Services website. http://www.hhs.gov/ocr/privacy/hipaa/administrative/index.html. Accessed August 15, 2013.
11. Borland J. Breaking GSM with a $15 phone … plus smarts. Wired. www.wired.com/threatlevel/2010/12/breaking-gsm-with-a-15-phone-plus-smarts. Published December 28, 2010. Accessed August 15, 2013.
12. Shapiro C, Varian HR. Information Rules: A Strategic Guide to the Network Economy. Boston: Harvard Business School Press; 1999.
Previous Article / Next Article