Text Messaging and HIPAA Compliance Risks

Like everyone else, health care workers have become accustomed to the convenience of communicating by text message.  Although using text messages can make communications more efficient in the health care setting, transmitting protected health information (PHI), including photographs, in text messages raises Health Insurance Portability and Accountability Act compliance risks.  Some of the compliance risks include the following:

  • Many people do not password-protect a mobile device, making it easy for another user to access PHI stored in texts.  This access can occur when the device is shared, lost, or stolen.
  • Text messages often are not encrypted, unlike e-mail.
  • The use of personal mobile devices to send texts or photographs is common, unlike email, which most often is sent on work-issued computers or tablets.
  • Text messages can remain on a mobile device indefinitely.

HC BLOG_textingThe U.S. Department of Health & Human Services (HHS) and the Office of the National Coordinator for Health Information Technology (ONC) have gathered tips to safeguard PHI when using mobile devices.  They make the following suggestions about how to protect and secure information on mobile devices, which applies to developing a policy on transmitting PHI by text message.

  • Use a password or other user authentication.
  • Install and enable encryption.
  • Install and activate remote wiping and/or remote disabling.
  • Maintain physical control of the mobile device.
  • Delete all stored health information before discarding or reusing the mobile device.

HHS and ONC have resources to assist in updating or developing policies for mobile device use.  They recommend the following five steps for policy planning.  These steps can assist health care organizations in developing a policy on using text messages to transmit PHI.

1.   Decide whether mobile devices will be used to access, receive, transmit or store PHI.

2.   Conduct a risk analysis to identify risks and perform a risk analysis periodically whenever there is a new mobile device, a lost or stolen device, or suspicion of compromised health information.  After conducting a risk analysis, document:

  • which mobile devices are used to communicate with your organization’s internal networks or system; and
  • what information is accessed, received, stored, and transmitted by or with the mobile device.

In addition, organizations should review HHS “HIPAA Security Series: Basics of Risk Analysis and Risk Management” for guidance on conducting a risk analysis.

3.   Identify your organization’s mobile device risk management strategy, including privacy and security safeguards.   The risk management strategy should include evaluation and maintenance of the mobile device safeguards you put in place.

4.   Develop, document, and implement your policy.  HHS and ONC suggest that the organization consider the following.

  • mobile device management, including identifying and tracking devices;
  • whether personal mobile devices can be used and whether they can be used to connect to the organization’s internal network or system;
  •  whether the device can be used away from the organization;
  • whether the device can be used to text;
    • security/configuration settings on mobile devices;
    • restrictions on information that can be stored on mobile devices;
  • procedures for addressing misuse of mobile devices; and
  • recovery and deactivation to wipe or disable lost or stolen devices or devices of employees who leave the organization.

5.   Provide training on mobile device use.

Image courtesy of Flickr by Jhaymesisviphotography

DHHS Promulgates Rule Giving Patients Right to Receive Results Directly From Lab

Earlier in the week, the Department of Health & Human Services announced a new rule under the Health Insurance Portability and Accountability Act (HIPAA) and the Clinical Laboratory Improvements Amendment of 1988 (CLIA) giving patients the right to access test results directly from a diagnostic laboratory, instead of making them go through the physician who ordered the results.  The final rule is available here.

The quick summary of the new rule is that if a covered laboratory (which is a laboratory that conducts one or more transactions electronically – so pretty much any laboratory) keeps test results electronically, it must share those with the tested individual or his or her personal representative; if it does not have results stored electronically, it must make an electronic copy in a mutually agreeable format.  Non-CLIA labs are exempt, as well as a handful of other entities and tests.

One major objection to the new rule is that many patients are ill-equipped to understand the test results without consulting with their physicians, and as such, they may be apt to overreact to seemingly abnormal results or false positives.  I understand where this is coming from.  Years ago, I contracted a nasty case of pneumonia training for the Boston Marathon in the dead of winter in Chicago.  This was the first (and only) time I had ever had pneumonia, and I became worried that I wasn’t recovering as fast as I’d like.  I went to a specialist, who ordered a comprehensive breathing test to make sure it wasn’t asthma.  At the lab, I blew into a bunch of tubes.  After one test, the lab tech shook her head and asked if I was a heavy smoker.  I said no, and she got a deeply concerning look on her face.  I, of course, freaked out.  The day the results were supposed to be available, I called the pulmonologist to get the bad news.  Guess what?  The results were totally normal, for someone who was recovering from pneumonia.  (I eventually started to feel normal, but it took months.)

And that’s the problem.  There are any number of conditions that can make otherwise abnormal lab results perfectly acceptable.  I’m not saying that it’s enough to make the new rule a bad one; DHHS certainly didn’t think so.  It emphasized that physicians will still be expected to consult with their patients about the results, and noted that most labs report that patients ask for the direct results only after they have already spoken with their physicians about them.  I’m not entirely sure that’s responsive – the fact that physicians still will advise their patients doesn’t really address the concern that some patients will get the results before having that conversation, and even if most patients tend to wait until they talk to the physician before directly requesting the results, some evidently do not.  But I’ll set those qualms aside.  The rule is here to stay.

It is important to make one point, though.  Given that patients are able to call the lab and get their results directly, physicians ordering tests need to do a good job up front communicating to the tested individual as to the expected results and the results that are cause for concern.  For example, in my case, the pulmonologist should have told me that given my recent pneumonia, she expected my results might show diminished lung function (assuming I had the right to directly access them), and that would be completely normal.

If you have that conversation up front, it can save a lot of stress and concern on the part of the patient, and perhaps even unnecessary testing for those eager beaver patients who don’t want to wait to consult their doctor about potentially concerning results.

OIG Report Criticizes OCR’s HIPAA Enforcement Efforts

The Office of Inspector General for the U.S. Department of Health & Human Services (OIG) issued a Nov. 21, 2013, report criticizing the HIPAA enforcement efforts of the Department of Health & Human Services Office for Civil Rights (OCR).  The report’s title nicely summarizes the OIG’s findings:  “The Office for Civil Rights Did Not Meet All Federal Requirements in its Oversight and Enforcement of the Health Insurance Portability and Accountability Act Security Rule.” 

Examining oversight and compliance efforts in Washington, D.C., and Atlanta between July 2009 and May 2011, the OIG found that OCR did not meet federal requirements for the oversight and enforcement of the HIPAA security rule.  According to the OIG’s report, OCR continued to follow a complaint-driven approach to its compliance efforts and did not provide for periodic audits.  In addition, the OIG found that OCR’s investigation files did not contain required documentation supporting key decisions. 

Notably, when the OIG examined OCR’s computer systems in May 2011, the OIG found that OCR had not fully complied with federal cybersecurity requirements for its information systems used to process and store investigation data. 

The OIG made several recommendations to OCR, including that it provide for periodic audits of covered entities to ensure compliance with HIPAA’s security rule.  It is possible that the report will result in increased audits of covered entities.  Thus, covered entities should assess their HIPAA compliance efforts, including conducting a risk analysis.