Texting Violation of HIPAAGreg Garner
Imagine you have a thriving medical practice, but your patients want to receive information about their records via text. You learn that you can text your patients, but you need to follow HIPAA rules.
Luckily, you can do a lot of things to set your messaging system up. Keep reading to learn how to secure your messages with patients.
Control Access to Messages
The first thing you need to do when following HIPAA rules for texting is to control who can access which messages. Set up policies and procedures to help your organization manage data access.
You should only give employees enough access to perform their jobs. That way, you can keep from giving data access to more people than necessary.
You should consider who needs to access data as well as who needs to change or distribute it. Those could be different people in your organization.
Every covered entity needs to determine the access levels necessary for the job. Make sure you don’t grant more access than necessary.
One way to control message access is to use encryption. Secure messages use encryption to make messages only available to the sender and recipient. If someone hacks into your messaging system, they won’t be able to see the texts.
Encryption can protect your device if you lose it. But it can also help if someone hacks into the WiFi network. Hopefully, your network is secure, but you can never be too safe.
Encryption can also protect your patients if they access the messages from a public WiFi network. Make sure that no one else can access those messages.
When choosing what software to use, select a program that logs users off automatically. This way, you don’t have to worry about people leaving their messages up for someone else to accidentally see.
The program should log out after a set amount of inactivity. You may want to give users a few seconds of inactivity. But don’t set it so long that someone else can get on to the computer to view messages.
While it can be annoying to log into a program every so often, it’s worth following HIPAA rules. Implementing an automatic logoff feature can protect your patients and staff.
Track User IDs
You should also set up unique user IDs to track who accesses what information. Unique IDs let you authorize access for certain users, and you can follow their activity.
The ID lets you hold your staff accountable to the HIPAA privacy rule and other regulations. If you find someone abuses their access, you know who to talk to so that you can keep them from violating HIPAA in the future.
User IDs don’t have to be complicated, so you can set up your entire office staff with the right tools. Then, you can monitor staff activity and ensure that everyone follows HIPAA security rules.
While this tracking won’t cover HIPAA outside of the app, it can help. If you find malicious activity here, you may find it elsewhere in your organization.
Create Emergency Access Procedures
Another thing to consider when granting access is emergencies. Perhaps someone doesn’t need information regularly, but they may need access when it’s urgent.
In that case, you can consider what emergencies would warrant accessing protected health information (PHI). For example, you may need to grant office staff some access if they receive an emergency message from a patient.
The people who can access PHI in an emergency may differ from day-to-day operations. Either way, those who can access PHI in an emergency should understand and follow HIPAA rules and your office procedures to ensure secure messaging.
Document and Review Activity
Once you set up some procedures for logging information, you should document access activity. Your reports should include information regarding the access and use of PHI in your office.
Review those reports each week to find and reduce any risks to security. That way, you can protect PHI and lower the chance of a security breach.
If you find a problem, you can address it then. That could mean changing who can access what information or updating the software you use to access and transmit PHI.
You can also use regular reviews to determine if your audit controls are appropriate and reasonable. Covered entities and business associates can use these controls to protect PHI without sacrificing patient care.
Don’t Change PHI
When following HIPAA rules for texting, you should also protect the state of the PHI you use or send. You cannot alter or destroy PHI when not authorized because that can compromise the integrity of the data in question.
As part of the HIPAA Security Rule, you have to implement safeguards to protect that integrity. You should use security functions or processes to protect the data.
It’s also important to use technical safeguards to protect the data and reduce the risk of compromising data. That way, you can send text messages securely to your patients or colleagues without unnecessary risk.
To prevent accidentally changing or destroying PHI, make sure that as few parties as possible have that access. For example, even if multiple people need to view the messages, make it so that only one person can write and edit them.
Hopefully, you have already set up user IDs for everyone in your medical office. Now, you should require authentication for people to sign into the messaging platform.
They can use their unique user IDs, but you should also require more information. If someone discovers another person’s ID, authentication provides an extra barrier of security.
You can use a password, PIN, smart card, or biometrics to authenticate access. Biometrics are excellent because they are unique to the person. But a secure password or PIN can be just as effective.
If using a password or PIN, have your staff change theirs every few months. That can keep hackers from guessing passwords and getting into secure message threads.
Protect PHI During Transfers
You should also prevent unauthorized access when PHI is transferring. First, you need to protect the integrity. This requirement is similar to the restriction on changing or deleting PHI.
Your recipient should be able to see the message that you sent without any alterations. Encrypting messages can help with this. You should also establish network communication protocols to protect PHI in transit.
When encrypting messages, you should determine how much encryption is necessary. If you’re sending a general message to a colleague, you may not need as much security.
However, messaging a patient about their condition does need more encryption. That way, your patient can get the information they need. But hackers won’t be able to access it.
You shouldn’t send messages with patient PHI without getting consent from that patient. This applies to providing any telehealth service, including text messaging, audio, and video communication.
Before starting communication, you should inform patients of the potential risks. Giving this “light warning” ensures that your patients understand what can happen.
Once they accept the risks, you should document their acceptance in writing. Get your patients to sign a form acknowledging the possibilities of using text messaging.
After you begin texting with your patient, you should follow their directions. Make sure you get their permission when sending private information through text.
Stick to Necessary Data
Before sending any PHI through text or another messaging service, consider if sending it is necessary. You may need to send PHI to insurance companies or other HIPAA covered entities.
However, only send the basics that the other entity requires. You don’t need to send a detailed report of the patient’s medical history to their insurance provider. But you may need to send information about the specific visit.
When communicating with patients, verify that you’re messaging with the correct person. And then, only send information that your patient has authorized in writing.
If they haven’t approved messages about test results, you will need to use another method to give them the information.
Use HIPAA-Compliant Text Apps
One excellent way to help you follow HIPAA rules is to use HIPAA-compliant apps. You can use your standard text messaging app or other private messaging programs.
However, those don’t always have the level of encryption you need. You should use a specific messaging app that follows HIPAA rules and regulations so that you and your patients can feel safe communicating.
Apps like TigerText, Klara, and OhMD allow you to text message your patients and colleagues with a secure system. That way, you can provide essential care, transfer important details, and more.
What to Look for in an App
Whether you want to use a HIPAA-compliant app or not, you should look for certain features. That way, you can ensure messages will make it to the right people.
Consider how you plan to use the app and what information you will send. Then, you can prioritize some features.
The most important feature is security. The HIPAA Security Rule is a major part of patient protection. You should consider what level of encryption the app uses and if it requires a PIN or password.
Knowing that your patient received the message may be important. If so, look for an app that lets you check who has read your message and the IP address. That way, you can make sure messages don’t end up in the wrong hands.
It can also help to choose an app that deletes messages after a certain period. You can set the app to make messages visible for a few hours or a few weeks. That way, the message won’t sit there for a long time.
You should always verify your recipient before sending a message. However, mistakes happen, so being able to recall messages can help you when you accidentally message the wrong person.
If you need to use photos or videos to communicate, you should consider how easy it is to integrate those with an app. Media can help you and your patients specify body parts and other medical issues, so using them can be a good option.
If you want to communicate with your staff, consider an app with group message features. You can send everyone updates at once without having to use email or having to message everyone individually.
You should also look for an app with various notification settings. That way, you can get notifications when you’re at work, but you can turn them off when you leave.
Not all HIPAA-compliant apps offer this feature, but TigerText has a guarantee that will reimburse you if you do have a HIPAA violation.
What Happens if You Violate HIPAA Rules?
If you violate HIPAA rules, you can face small or significant penalties. The exact fine and consequence will depend on the violation and its severity. When determining HIPAA violations for texting, consider if the offense is civil or criminal.
Civil violations will result in a $100 fine per violation. You can get up to $25,000 per year, per person.
Criminal penalties are a little different, and they are when you intentionally violate someone’s privacy.
If you obtain or disclose PHI, you could face a fine of $50,000 and up to a year in prison. Obtaining PHI under false pretenses will get you a fine of up to $100,000 and 5 years in prison.
If you obtain PHI because you want to sell it or transfer it, you can get up to 10 years in prison. You would also need to pay up to $250,000. The same penalties apply if you get PHI for personal gain, commercial advantage, or malicious harm.
What if You’re Unsure of HIPAA Compliance?
If you aren’t sure if something complies with HIPAA, be safe. Don’t send that text message or use that messaging platform.
Ask your colleagues if you’re overthinking the regulation. That way, you can verify you’re okay to send the information.
HIPAA Rules for Text Messages
Following HIPAA rules for texting can seem like another thing to learn. But it’s essential if you want to offer secure communication with your staff and patients.
You should take message security and confidentiality seriously. If you don’t you could face harsh penalties.
Do you want to learn more? View our HIPAA courses and enroll today.