Now that the Joint Commission is allowing healthcare providers to use secure text messaging to communicate patient information and orders, healthcare IT organizations are tasked with enabling secure messaging platforms that comply with the standards.
The U.S. healthcare accreditation body's decision (first announced in May and later delayed until September) is a long overdue move that promises to improve both healthcare communication and data security. For many years, providers have been skirting the ban because they recognize that mobile messaging enables them to communicate medical information faster, more efficiently, and in a way that better serves patients. The problem is that, because they haven't been given easy-to-use, secure alternatives, they've been using consumer-focused text messaging platforms to communicate, certainly including a large number of the 96% of doctors and 67% of nurses who told Spyglass Consulting in 2014 that they use text messaging to communicate patient information. By putting standards around text messaging, the Joint Commission is telling providers that consumer messaging apps on their iPhones and Android smartphones won't cut it.
But they're also signaling that they know text messaging makes healthcare providers more efficient and gets information to the right people with expediency, helping get the right care to patients more quickly.
The key to compliance is to communicate only over a secure messaging platform, rather than consumer text messaging apps, which threaten the security of patients' personal health information (PHI) and violate patient privacy rules, including HIPAA. Smartphones get lost or stolen all the time and many consumer-grade apps are easily hackable. The security threats are real if healthcare providers are using unsecure text messaging apps.
What makes up a Joint Commission-compliant messaging platform?
According to the Joint Commission, a "secure text messaging platform" must include the following features:
• Secure sign-on process
• Encrypted messaging
• Delivery and read receipts
• Date and time stamp
• Customized message retention time frames
• Specified contact list for individuals authorized to receive and record orders
A platform that meets these criteria should enable healthcare providers to securely text patient orders and other PHI without risking HIPAA non-compliance. But there's another piece of this puzzle that the Joint Commission didn't outline: To maintain HIPAA compliance for PHI sent over a secure messaging platform and stored on a device, an organization must institute safeguards for device use and management. An enterprise mobility management (EMM) solution can secure or "harden" any device, no matter whether it runs on Android, iOS, BlackBerry, or Microsoft, on which the messaging app resides. An EMM solution secures the device and the data on it even beyond what the secure messaging platform enables.
Such EMM solutions can, for instance, require use of a local non-portable data store and protect against the risk of loss through restricting copy-and-paste functionality. Management solutions can also impose IT policies, for example, that lock a device after a certain period of time or allow for the remote lock or wipe of all information on a lost device. In addition, an organization's usage policies can place responsibility on individuals to prevent unauthorized access and ensure that data is only transmitted and stored securely. Such device safeguards further support compliance with industry standards, such as NIST 800-11.
Implementing secure messaging and EMM platforms is not an onerous task, and it's well worthwhile. Research indicates that poor communication among healthcare providers is a leading contributor to patient care errors and medical harm. On the flip side, after implementing secure messaging platforms hospitals have seen significant reductions in emergency department wait times and length-of-stay, as well as improvements in employee and patient satisfaction.
Communication is still the primary opportunity for improvement in healthcare, and the open communication and efficiency gains provided by a modern, secure mobile messaging platform are key to realizing that opportunity. It's essential, though, that hospitals and other provider organizations ensure that, in their rush to enable provider text messaging, enforcing Joint Commission-compliant security doesn't fall by the wayside.
The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.