With the Centers for Medicare & Medicaid Services “CMS” releasing a memorandum summary at the very end of 2017, it further clarified the two positions on use of text messaging when dealing with patient information.
Can healthcare use regular text messaging that comes standard on all mobile devices? No!
Can healthcare use secure text messaging through HIPAA compliant systems for their mobile devices? Yes!
So here is the breakdown: Yes, to collaboration and clarifications (when using compliant messaging) and No, to sending orders.
Catch that “when using compliant messaging” did you? There has been some confusion on what can and cannot be sent via "Text". So, let us provide a brief history. In 2011, the Joint Commission “banned text” since the technology was new and not really vetted for healthcare. In the Spring of 2016 The Joint Commission approved Secure text and outlined what needed to be done to be compliant, but partially reversed itself to ban sending patient orders a few months later. Essentially text messaging in healthcare went from little to no regulations to completely banning, then completely approved, back to banning some things and allowing others when communicating about patients.
So now you know you can message patient information, but how do you do this in a compliant fashion?
Well time for a little vocabulary lesson…while text or even "secure text" is a common term in the HealthIT space... it really is part of the confusion. Actually, SMS Text is the non-compliant technology for any sharing of potential patient identifying information (PHI). To add a further level of complexity "Secure Messaging" has a number of areas it needs to address be "compliant messaging". For example, the financial markets have different regulation on secure... so secure to a bank is different than secure to a hospital. To sum up, text is not secure and not compliant, secure messaging could be compliant, and if someone claims compliance in healthcare they should have a Third-party risk assessment and a Business Associate Agreement in place (BAA).
(Sorry about this mouthful coming)
So for Mediprocity we focus on securing healthcare communications and risk assessments to meet OCR/NIST, as well as Federal/State regulations to securely communicate patient information compliantly. Lastly is the push for CPOE (Computerized Provider Order Entry) being preferred, with written and verbal being allowed, which leaves integration as an area to cross over. Texting patient information among members of the health care team is permissible if accomplished through a secure platform.
This ruling came after there was some confusion by a response from CMS stating that texting any kind of patient information was prohibited. To clarify, CMS and the Office of Civil Rights “OCR” which governs HIPAA does not allow texting patient information of any kind unless it is done within a fully HIPAA compliant platform. HIPAA compliant platforms must meet and should exceed HIPAA Security Rule, 45 CFR Parts 160 and 164. Mediprocity meets and exceeds this ruling and therefore may be used to text patient health information.
JACHO and CMS have also reaffirmed their position that no patient orders should be sent via text regardless of the platform utilized. The preferred method is a CPOE, which is a computer provider order entry system. CMS does go on to say that physicians and licensed independent practitioners should enter orders into the medical record via a hand-written order or through a CPOE. Since text messaging is the preferred method of communication today, with over 23 billion texts being exchanged daily – it is safe to assume that some of that communication includes patient health information. Your organization at this point should be using a secure texting solution to comply with HIPAA. It is hard to believe in the year 2018 that your staff does not ever use text messaging. If you honestly believe no one in your organization sends texts daily, we have a great bridge in Brooklyn to sell you.
If everyone in your organization was still using a rotary phone or an old cellular block phone then this argument would hold up. Realistically, almost everyone has some sort of smart phone and/or tablet and is using text daily.
• Do you have a mobile phone policy in place if the OCR were to perform an audit?
• Do you have access controls and remote wipe in place?
• Do you have retention of text records?
Mediprocity turns these questions into a yes! Mediprocity also allows your team to clarify orders on patients while discussing patient health information. CMS recognizes that texting as a means of communication with other members of the healthcare team has become an essential and valuable means of communication. CMS goes on to say they expect the texting platform to meet HIPAA standards, and that the functionality of the platform will help to avoid negative outcomes that could compromise the care of patients.
The effective date on this ruling is immediate. All state survey, certification staff and managers have been made aware of this memorandum. If you do not have a HIPAA compliant texting solution in place and a state surveyor asks to see what you use, what will be your answer? If your answer is we never text and you have a breach, you will be on record and fall into willful neglect. This places you in the high-risk fine arena which is a place you do not want to be, as organizations and individuals can be held accountable.
Need some proof? Most recently a 2 million dollar fine was imposed on a Cancer Treatment Company that is now filing for bankruptcy protection. Texting without a secure platform today is no joke. Mediprocity can help by becoming your mobile device policy, a trusted source to improve your communication and improve patient care. So let’s recap…
Can I text patient health information? Only if using a HIPAA complaint text platform.
Can I send orders via text? Only if using a CPOE or hand-written order into the medical record.
Can I clarify orders and ask questions using a HIPAA compliant platform like Mediprocity? YES!
• Free for physicians.
• No long-term contract.
• Accounts as low as $6 per user / per month.
• Free Training.
• Free Support.
• And, we are super friendly!
Contact us today and protect your organization! We can have you up and running in less than 30 minutes.
The OCR "Office of Civil Rights" which governs HIPAA put out a great reminder tool checklist for cybersecurity. They mention that threats never take a day off and when an office and staff have their guard down is when a vulnerability can arise and that increased risk can compromise an entire organization in an instant. Mediprocity plans to share some good data tips on our blog in the early months of 2018 and wanted to start off with the OCR checklist.
On The Go
Think about how vulnerable you are when you are traveling for home or work. This is the time to take extra steps and precautions to safeguard your devices that can have patient health information stored. Identify your phone, laptop or tablet and make sure you have it password, TouchID or Facial protected. Additionally, make sure that any area on the device that stores PHI is encrypted and you can remote log off from any location in the event you lose the device. If you do not need your work phone or laptop then do not bring it. More devices are stolen out of cars during travel that are accidentally left in the backseat.
Bring and Use Your Own Power Adapters and Cords
It’s never safe to charge your devices using anything other than your own power adapters. Cyber thieves may install malware onto hotel lamps, airport kiosks and other public USB charging stations. If you absolutely must charge your device on the road, and you don’t have access to your charger/adapter, power down your device before you connect it into any airport chair or public USB charging station.
Back Up Your Electronic Files
Before you leave, back up your contacts, photos, videos and other mobile device data with another device or cloud service. And make sure your back-ups are encrypted and secure!
Install Security Updates and Patches
Be sure to patch and update operating systems and software (including mobile device apps). This should be a regular practice, but it is particularly important if you will be unable to update while traveling. Updates and patches can fix security flaws and enable security software to detect and prevent new threats.
Create New Passwords and Change Passwords
Change passwords you will use while traveling, and add multi-factor authentication, if possible. Don’t skimp on password creation either—a numerical sequence is not ideal. Passwords should be at least 10 characters or longer with a combination of letters, numbers, and symbols. Consider using a passphrase – a combination of words that are easy to remember, such as “Mydogatemyhomeworkandgotindigestion”. Once you’re home, change your passwords again!
Lock Devices Down
Most smartphones, laptops, and tablets come equipped with security settings that will enable you to lock the device using a PIN or fingerprint ID. Do this on every available device. In the event you misplace or lose a device, this will be the first line of defense against a security breach.
Turn Off WiFi Auto-Connect and Bluetooth
Go into your device’s Settings feature, and disable the WiFi auto-connect option so that you manually connect when it is safe to do so. Similarly, disable Bluetooth connectivity. If left on, cyber thieves can connect to your device in a number of different and easy ways.
Avoid Public WiFi
Avoid connecting to any public WiFi network. You didn’t connect to the free, open WiFi on the airplane, so continue that mindset on the ground. Using your mobile network (like 4G or LTE) is generally more secure than using a public wireless network. Do not conduct sensitive activities, such as online shopping, banking, or sensitive work, using a public wireless network. Always log into your work networks through VPN, and only use sites that begin with “https://” when online shopping or banking.
Ensure Physical Security of Your Devices
NEVER let your devices leave your sight. If you cannot physically lock devices in your hotel room safe or other secure place, take them with you. There are no good hiding spots in your hotel room! Many breaches occur because a device was left unattended when an opportunistic thief struck. When traveling with laptops and tablets, the best protection is to carry them with you. It’s never safe to pack your devices in your checked luggage.
Create Unique PINs
Don’t use the same PIN for the hotel safe and a mobile device, especially one that you’re storing in the hotel safe! Do you really want to make it that easy for a thief?
Use Geo-Location Cautiously
Most social media sites are happy to automatically share your location as you post photos and messages. This also tells thieves back home that you are away, which is a great time to break in. So, limit the information you post regarding your location at any point in time.
For HIPAA Covered Entities and Business Associates
The HIPAA Security Rule requires that covered entities and business associates conduct a risk analysis to identify risks and vulnerabilities and to mitigate identified threats and vulnerabilities. Risks to ePHI created, received, maintained, or transmitted on workplace owned equipment, and personal equipment if permitted, when workforce members travel must be included as part of a covered entity’s or business associate’s risk analysis and risk management process.
This information was provided by The HHS Office for Civil Rights (OCR) web site which provides guidance on the HIPAA Security Rule as well as guidance on specific cybersecurity topics. A PDF of this newsletter may be found at: https://www.hhs.gov/sites/default/files/ocrcybersecurity-newsletter-december-2017.pdf
F-Tag 164 Privacy & Confidentiality for messaging
On June 2nd, 2014 it was reported that the first deficiency around an unsecured text message in the long-term care market was issued. North Carolina's Division of Health Services Regulation (survey & certification) issued a notice to all facilities of a recent survey citation centered around F tag 164 - Patient Privacy.
As CEO for Mediprocity, over the years I’ve found that many in healthcare do not see the need or believe there will ever be an infraction handed out over text messaging. Others adopt a "do not text" policy which is hardly a policy under the weight of $10 million in fines handed out in the 2nd quarter in 2014. If you take a look at all the fines in Q2 2014, the underlying theme is they didn't have a policy and procedure in place. And perhaps more importantly, a “no text” policy isn’t a solution for your staff!
As pointed out in the very informative article written by Rod Baird, "LTC Compliance Alert - Text Messages and PHI Do Not Mix! Is There a Solution?", the state of North Carolina has made it very clear. If a LTC facility is caught without a policy in place and/or using unsecured text a deficiency F tag 164 will be issued.
Another area of concern is civil monetary penalties (CMP) which are fines attached to Federal tags. And if F-164 is now being recognized and enforced in North Carolina, how long until other states begin to follow suit?
If your facility has not yet set up a policy and procedure to protect your communication, improve your workflow, and retain and transfer resident records properly; you are at risk.