Secure Texting – Best Practices
This guide to secure texting has been prepared following the implementation of the “Final Omnibus Rule” in March 2013. It specifically applies to revisions of the Health Insurance Portability and Accountability Act 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act 2009 (HITECH), but the secure texting guidelines mentioned below could be applied in many different scenarios.
The best practices for secure texting in this instance apply to healthcare professions, health insurance companies and employers who provide HIPAA-covered health insurance to their employees and, for the first time, business associates who provide third party services to the health insurance industry.
Why Were New Secure Texting Guidelines Introduced?
New secure texting best practices guidelines were introduced to reduce the risk of protected health information being compromised during the transmission or receipt of patient data, or while such data was stored on a portable or mobile device (cell phone, tablet, Smartphone etc.).
Studies had shown that more than 80 percent of doctors use mobile devices to access protected health information and communicate with their patients, while further research revealed that 66 percent of reported breaches of patient data were due to mobile devices being lost or stolen.
The potential for protected health information breaches has increased significantly since the original Health Insurance Portability and Accountability Act was enacted in 1996 due to technological advances and changes in working practices, and issues such as the following may not have been considered when the original Act was drafted almost
twenty years ago:
- Owners of mobile devices, who use them to access protected health information or communicate with patients via text messages, are at risk of having sensitive information intercepted and compromised when they use unsecured cellular networks or public Wi-Fi.
- The lack of security on many mobile devices increases the risk of any patient health information stored on it to be compromised, as few mobile device owners use passwords to protect sensitive information maintained on their mobile devices.
- Sensitive information that has been sent by text to or from personal mobile devices is rarely encrypted. If text messages are not deleted once they have been sent or received, anybody who finds or steals the mobile device would have access to the protected health information stored on it.
It is important to note that the HIPAA secure texting best practices recommendations state “[mobile devices] require appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information” and the failure to comply with the HIPAA secure texting guidelines can result in criminal and/or civil legal proceedings.
What are the New HIPAA Secure Texting Guidelines?
Breaches of protected health information are of significant concern to the Office of Civil Rights (part of the United States Department for Health and Human Services), which has recorded breaches of unencrypted health information affecting more than 22.8 million patient records since the enactment of the Breach Notification Rule in 2009.
The major issue which is hoped to be resolved by the new secure texting best practices guidelines is to control who has access to protected health information, how it is transmitted and what is done with it when it is received on a mobile device. The new secure texting guidelines consequently now apply to business associates who would access this information when dealing with health insurance enquiries.
The HIPAA guide to secure texting primarily focuses on protecting patient privacy, but there are some other regulations within the Final Omnibus Rule that all organizations and persons who have access to protected health information should be aware of in the event that sensitive data is believed to have been compromised:
- The new best practices for secure texting ban the marketing or selling of protected health information without first getting permission from the patient(s).
- Patients now have the right to have details of any healthcare they have paid for privately withheld from the insurance company that provides their health insurance coverage.
- Patients (and in certain scenarios the Office of Civil Rights) must be notified within sixty days if a breach of protected health information is discovered which affects them.
- Organizations have the responsibility to conduct risk assessments periodically to ensure that they comply with the HIPAA guide to secure texting.
- Organizations and persons with access to protected health information should also amend their texting policies and reporting procedures should a suspected security breach occur.
Comply with the Guide to Secure Texting
The most trouble-free way of complying with the new HIPAA guide to secure texting is to implement the secure messaging platform from TigerText. TigerText´s secure messaging platform is a cloud-based software application which requires no installation or training before users can engage in secure texting best practices.
TigerText enables organizations and individuals to send and receive messages containing sensitive patient data via a secure virtual private network, which fully complies with the new HIPAA secure texting guidelines and ensures the integrity of protected health information.
The TigerText secure messaging platform also uses a confirmation system to relay when a text message has been received and read, to save time on follow-up calls and to increase the efficiency of organizations and individuals who are using the system.