The New HIPAA Texting Rules
The Final Omnibus Rule of March 2013 introduced a new HIPAA texting policy, which for the first time, including third party service providers to the healthcare industry and business associates. The new HIPAA texting policy updates previous legislation in the Health Insurance Portability and Accountability Act 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act 2009 (HITECH) to increase the security of patient health information.
Although the new HIPAA texting guidelines were enacted in March, organizations and individuals who have access to patient health information had until September 23 to revise their own policies and procedures to comply with the new HIPAA texting rules. You can read more about the changes that were introduced into the HIPAA texting guidelines below, or you are invited to download our white paper “Top 8 Secure Messaging Best Practices Brief” which provides more information about the precautions organizations can take to ensure they comply with the new HIPAA texting rules.
Why was a New HIPAA Texting Policy Needed?
The new HIPAA texting policy introduced in the Final Omnibus Rule aims to eliminate the risk of patient health information being compromised during the sending or receiving of sensitive data via SMS, or while patient health information is kept on a portable mobile device (cell phone, tablet, Smartphone, etc.).
A study conducted by the Health Research Institute has revealed that more than 80 percent of healthcare workers now use portable mobile devices to communicate information to colleagues about their patients or to access stored patient health information.
However, research carried out by the Center for Democracy and Technology showed that 66 percent of potential patient data security breaches over the past two years (that had been reported to the Office of Civil Rights) were attributable to portable mobile devices being either stolen or lost.
The HIPAA Texting Guidelines Address Previously Unconsidered Issues
The potential for patient health information being compromised has increased substantially due to advances in technology and changes in working practices since the original Health Insurance Portability and Accountability Act was made law in 1996.
The new HIPAA texting guidelines address some of the scenarios that have evolved since the original Act was drafted almost twenty years ago:
- The revised HIPAA texting policy accounts for the lack of security on many portable mobile devices, and the fact that few portable mobile device owners use passwords to protect sensitive patient health information
stored on them.
- The new HIPAA texting guidelines also address sensitive patient health information that is transmitted by text to or from personal portable mobile devices, which is not encrypted and which should now be deleted if no encryption security measure is in place.
- New HIPAA texting rules have also been introduced to safeguard patient health information when it is sent, received or reviewed, by the portable mobile device owner over an unsecured cellular network or public Wi-Fi.
Consequently, the new HIPAA texting rules “require appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information”. It should also be noted that the failure to comply with the new HIPAA texting guidelines could result organizations and individuals facing criminal charges or civil legal action if sensitive patient data is compromised.
What are the New HIPAA Texting Rules?
The new HIPAA texting rules have the aim of controlling who has access to patient health information, how that information is transmitted and received, and how it is consequently protected when it is stored on a portable mobile device. Because third-party service providers and business associates need access to patient health information to efficiently conduct their business, they too are included in the new HIPAA texting guidelines which should ensure the integrity of secure patient data.
The new HIPAA texting policy primarily focuses on patient privacy; but there are also other guidelines within the Final Omnibus Rule that all organizations and individuals who use, transmit or receive patient health information should know about, in the event that sensitive data stored on portable mobile devices is compromised:
- Organizations and individuals with access to patient health information have to amend their own HIPAA texting policy and report when a suspected security breach is identified.
- The revised texting policies should include safeguards to ensure individuals do not maintain private health information on the local storage facility of their portable mobile device.
- Employees with access to patient health information should notify their supervisors before selling or disposing of their portable mobile device, or when the device is lost or stolen.
- The ability should exist for organizations to remotely recall or delete any sensitive information relating to patients, employees or policyholders to comply with the new HIPAA texting rules.
- Organizations now have a duty to conduct regular risk assessments to make sure they comply with the terms of the HIPAA texting rules
- When patient health information has been encrypted, and any data stolen or lost is “indecipherable, unreadable, or unusable”, it is not always necessary to notify the breach.
- Employers, who offer HIPAA-covered health insurance, should also inform their employees of their new rights under the revised HIPAA texting rules.
Complying with the new HIPAA Texting Policy is Straightforward
The most straightforward way to comply with the new HIPAA texting guidelines is to have all portable mobile device users within your organization make use of the secure messaging platform available from TigerText.
TigerText´s secure messaging platform is a “software as a service” cloud-based application which is so simple to operate that most individuals will not need any training to use it or have to download software onto their portable
The TigerText platform allows individuals and organizations to transmit and receive patient health information within a secure virtual private network that ensures compliance with the HIPAA texting rules and ensures the integrity of sensitive personal data.
Additional Benefits of TigerText´s HIPAA Texting Policy Solution
In addition to ensuring the integrity of sensitive personal data sent and received between individuals and organizations, TigerText´s HIPAA texting policy solution can also increase the efficiency of employees within your organization.
The TigerText secure messaging platform sends confirmation notifications when SMS communications have been read to eliminate the need for follow-up calls to ensure that messages have been received. The additional time that the confirmation process saves – especially within a clinical environment – will increase the amount of time that can be devoted to the care of patients by healthcare workers.
To find out more about TigerText´s secure messaging platform – and how it complies with the revised HIPAA texting rules – you are invited to download our “Top 8 Secure Messaging Best Practices Brief” which offers advice about what should be contained within a HIPAA compliant secure messaging policy.