Why the Concern about HIPAA Rules and Texting?
The new legislation was introduced to reduce the risk of personal health information being compromised during the sending or receipt of patient data via text messages, or while personal health information was stored on a mobile or portable device (tablet, smartphone, cell phone, etc.).
Studies had indicated that more than 80 percent of healthcare workers use mobile or portable devices to access personal health information and communicate with each other about their patients, while more recent research revealed that 66 percent of security breaches reported to the United States Department for Health and Human Services over the past two years were due to mobile devices being lost or stolen.
As the potential for personal health information breaches had increased significantly due to technological advances and changes in working practices since the original Health Insurance Portability and Accountability Act was brought into law in 1996, new HIPAA laws and texting practices were introduced to address issues that may not have been considered when the original Act was enacted almost two decades ago:
- The changed HIPAA safeguards about texting identified the risk of mobile device owners accessing personal health information on their tablets or Smartphones, or communicating with patients via text messages, and being at risk of having sensitive information compromised when they use unsecured cellular networks or public Wi-Fi.
- The revised HIPAA guidelines about texting address the lack of security on many mobile devices, as few mobile device owners use passwords to secure sensitive information stored on their mobile devices.
- The new HIPAA rules about texting also deal with the fact that sensitive patient information is transmitted by text to or from personal mobile devices which is rarely encrypted. If unencrypted text messages are not deleted once they have been sent or received, any person who steals or finds the mobile device would have access to the personal health information stored on it.
It is important to note that the new HIPAA laws about texting “require appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information” and the failure to comply with the new legislation could result in criminal and/or civil charges being brought.
The number of personal health information breaches that have been recorded since 2009 are of particular concern to the Office of Civil Rights (part of the United States Department for Health and Human Services). The office has recorded security breaches affecting more than 22.8 million patient records and, as mentioned above, 66 percent of those were attributable to lost or stolen mobile devices.