The Robert Wood Johnson
Foundation, conducted a study finding that nurses spend as much as 60 minutes
of each work day tracking down physicians for a response to their patient care
questions. Many healthcare providers believe it would be more efficient to send
text messages in order to streamline the workflow, as well as, increase dialogue
between physicians and patients. An issue arises
though, if the message contains Protected Health Information. This is a result of the fact that text
messages are electronic communications and therefore the message would be
considered Electronic Protected Health Information (ePHI), which must comply
with the Health Insurance Portability and Accountability Act (HIPAA).
It is challenging to
send a HIPAA compliant text message as they carry a great deal of risk. The risk stems from the fact that they are typically
not encrypted, senders cannot authenticate the recipients, recipients cannot
authenticate the senders and ePHI can remain stored on wireless carrier
servers. The Joint Commission has completely restricted physicians or licensed
independent practitioners from texting orders for patients to the hospital or
other healthcare setting, stating that “this method provides no ability to
verify the identity of the person sending the text and there is no way to keep
the original message as validation of what is entered into the medical record.” However, texting ePHI is not explicitly
prohibited by the HIPAA Security Rule.
The Security Rule
requires that those providers who want to send ePHI via text must conduct a
risk analysis. A risk analysis consists
of “an accurate and thorough assessment of the potential risks and
vulnerabilities to the confidentiality, integrity, and availability of
electronic protected health information held by the covered entity.” The Security Rule further requires that
Covered Entities and Business Associates acting on their behalf implement
administrative, physical and technical safeguards. The Security Rule does not propose specific
safeguards, but provides a framework to assess and mitigate risks associated
with such transmissions. The American
Health Lawyers Association have given examples of technical safeguards, such as, unique
user identification, automatic logoff, encryption/decryption, auditing and authentication.
Text messaging remains
an attractive and cost effective way to communicate ePHI. Ultimately though, it is a policy decision
where the decision-makers must weigh the risks and benefits of sending PHI
through text messages.
The blog posted is very interesting from all aspects and it will surely benefit the readers by all means.
ReplyDeletetext messaging