Text messaging to communicate clinical information among physicians represents a different set of health data security risks that needs to be managed appropriately, according to a report in the Journal of AHIMA.
Text messaging is popular with physicians because it is convenient and fast. Under the HIPAA security rule, text messaging should be addressed as part of an organization's comprehensive risk analysis and management strategy, especially if text messages are used to make decisions about patient care.
Providers can implement the following seven security controls to handle the transfer of electronic patient health information between physicians via text messages:
1. An administrative policy prohibiting the texting of ePHI or limiting the type of information that may be shared via text message;
2. Workforce training on the appropriate use of work-related texting;
3. Password protection and encryption for mobile devices that create, receive or maintain text messages with ePHI;
4. An inventory of all mobile devices used for texting ePHI (whether provider-owned or personal devices);
5. A policy requiring annotation of the medical record with any ePHI that is received via text and is used to make a decision about a patient;
6. A policy setting forth a retention period or requiring immediate deletion of all texts that include ePHI;
7. Use of alternative technology, such as a vendor-supplied secure messaging application.
It is ultimately imperative to recognize both the value and risks of texting and to proactively address the issues.
CHIME: HIPAA Privacy Rules Need Reconsideration
HIMSS: Increased HIPAA Compliance Has Yet to Increase Data Security
Text messaging is popular with physicians because it is convenient and fast. Under the HIPAA security rule, text messaging should be addressed as part of an organization's comprehensive risk analysis and management strategy, especially if text messages are used to make decisions about patient care.
Providers can implement the following seven security controls to handle the transfer of electronic patient health information between physicians via text messages:
1. An administrative policy prohibiting the texting of ePHI or limiting the type of information that may be shared via text message;
2. Workforce training on the appropriate use of work-related texting;
3. Password protection and encryption for mobile devices that create, receive or maintain text messages with ePHI;
4. An inventory of all mobile devices used for texting ePHI (whether provider-owned or personal devices);
5. A policy requiring annotation of the medical record with any ePHI that is received via text and is used to make a decision about a patient;
6. A policy setting forth a retention period or requiring immediate deletion of all texts that include ePHI;
7. Use of alternative technology, such as a vendor-supplied secure messaging application.
It is ultimately imperative to recognize both the value and risks of texting and to proactively address the issues.
More Articles on Health Information Technology:
Text Message Use Among Providers Raise HIPAA ConcernsCHIME: HIPAA Privacy Rules Need Reconsideration
HIMSS: Increased HIPAA Compliance Has Yet to Increase Data Security