New Regulations for HIPAA Compliant Texting
New regulations relating to HIPAA messaging compliance were contained within the Final Omnibus Rule that was enacted in March 2013. These are intended to revise existing legislation in the Health Information Technology for Economic and Clinical Health Act 2009 (HITECH) and the Health Insurance Portability and Accountability Act 1996 (HIPAA) in order to increase the security level of patient health information.
The revised HIPAA compliant messaging guidelines aim to eliminate patient health information being compromised during the transmission or receipt of personal data via SMS – or while patient health information is stored on a mobile device such as a cell phone, Smartphone or tablet – and, in addition to changing the guidelines relating to HIPAA compliant texting, the new HIPAA compliant messaging regulations now also apply to “vendors” and “business associates” who provide third party services to the healthcare industry.
Breaches of Patient Health Information
Breaches of patient health information are a source of concern for the Office of Civil Rights (an arm of the United States Department for Health and Human Services) as the Office has recorded instances of compromised unsecured data affecting more than 22.8 million patient records since the Breach Notification Act was introduced on 2009.
According to statistics released by the Center for Democracy and Technology, 66% of the recorded breaches were attributable to mobile devices being either lost or stolen and, as more than 80% of healthcare professionals now use employer-issued or personal mobile devices to access patient health information or to communicate with colleagues (according to a survey by the Health Research Institute), the risk of patient health information being
compromised is significant.
Issues with the Previous HIPAA Messaging Compliance Policy
The new HIPAA compliance messaging rules also “require appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.” The failure to introduce HIPAA compliant texting in the workplace could result in organizations and individuals being prosecuted by the Office of Civil Rights, or being faced with civil legal action from patients whose personal information has been compromised.
What are the new HIPAA Messaging Compliance Rules?
The new HIPAA messaging compliance rules concentrate on protecting patient privacy and how breaches – if they happen – should be dealt with; but there are also other changes to the regulations within the Final Omnibus Rule that all individuals with responsibility for the integrity of patient health information should be aware of in the event that patient data stored on mobile devices is compromised:
- Any organization or individual with access to patient health information should amend their own HIPAA messaging compliance policy and, when a suspected security breach is identified, report it within 60 days.
- Revised HIPAA messaging compliance policies should cover the scenario in which a mobile device is lost or stolen, or if the owner wishes to sell or dispose of it, so that patient health information can be removed remotely.
- Individuals who receive patient health information on their mobile devices should be informed not to store any patient-related text messages, picture, video or voice files they receive on the local storage facility of their mobile devices.
- Organizations are now obliged to carry out periodic risk assessments to ensure they comply with the HIPAA messaging compliance guidelines and attend to any potential breaches of patient health information that are discovered.
Who do the HIPAA Messaging Compliance Guidelines Apply To?
The new HIPAA messaging compliance guidelines have the aim of managing who has access to patient health information, how data is stored on mobile devices and how it is transmitted between authorized parties – usually employers who offer health insurance covered by HIPAA legislation, health insurance companies who store policyholders’ records on their mobile-accessible database, and medical practitioners and nursing staff who need to access patient data to administer the appropriate healthcare.
As “business associates” or “vendors” (or any other third-party service providers) also require access to patient health information to efficiently carry out their business, they too are included in the new HIPAA messaging compliance guidelines, and they have a responsibility to compile a secure text messaging policy and ensure that the integrity of patient data remains intact should they pass any healthcare-related business onto sub-contractors.
How to Observe the HIPAA Compliant Messaging Regulations
Complying with the new regulations can be labor-intensive, and take up valuable time that can encroach upon the efficiency of an individual or the level of healthcare that a patient receives. Therefore, readers are welcome to download our “Top 8 Secure Messaging Policy Best Practices Brief” which expands on the revisions made in the Final Omnibus Rule and provides recommendations to assist organizations with observing the HIPAA compliant messaging regulations.
- TigerText is a HIPAA-compliant secure messaging platform, which facilitates the transmission, receipt and storage of patient health information within an encrypted virtual private network.
- The secure messaging platform operates using a “software as a service” cloud-based application, which requires no training or downloading before it can be used.
- TigerText also increases efficiency within the workplace by sending confirmation notifications when SMS messages have been read.
- The life of messages can be pre-determined (or messages can be recalled once read) to reduce further the risk of patient health information being compromised.
- Individuals, groups and distributions lists can be messaged simultaneously, securely and efficiently.