The use of cell phones and other wireless technology in patient care is a big trend in dentistry. Many dental providers find text messaging provides quick access to the information they need to make decisions. But dental providers and staff need to keep in mind privacy and security concerns when texting. Whether the devices are organization owned or personally owned, dental organizations that use mobile devices to text health information should comply with HIPAA regulations.
Typical short message service (SMS) texting doesn’t offer the security necessary to send protected health information (PHI). That means patient privacy might be compromised if those messages can be seen by unauthorized individuals.
Also, multiple carriers might be involved in routing text messages, messages can remain on servers unencrypted, and there’s no guarantee the intended person will receive and read the message according to HIPAA Journal. Security of PHI is a top concern for dentists and their practices. And if unsecure texting results in HIPAA violations, you could face costly penalties.
So how can you make sure your texting habits are up to HIPAA standards? First, you should decide how to incorporate texting into health record documentation policies. HIPAA states that individuals have the right to view and amend PHI used to make clinical decisions about their care, which might include information sent via text. As such, organizations that allow text messaging should develop policies “requiring annotation of the medical record with any ePHI that is received via text and is used to make a decision about a patient.” (1)
Although HIPAA doesn’t ban sending PHI through text, a system of administrative, physical, and technical safeguards must be used to ensure the integrity of the PHI “in transit”according to HIPAA Journal. To do that, dentists must use secure messaging systems. When starting that process, check with your accrediting organization to see if they provide guidance or texting standards. For example, The Joint Commission requires healthcare employees send text messages through a secured messaging platform that includes a secure sign-on process, encrypted messaging, delivery and read receipts, date and time stamps, customized message retention time frames, and a specified contact list for individuals authorized to receive and record orders.
When evaluating messaging systems, look for multi-level encryption (e.g., encryption of stored data, transmitted data, and data within the application). The technology also should be able to operate on many devices, such as mobile phones running various operating systems, tablets, and desktop computers. Some other features of a secure text messaging system to consider are:
- Data storage on a secure private server with backup
- A remote option for removing/disabling the application from a mobile device in case the device is lost or stolen
- Automatic logout after a period of inactivity
- The ability to function on various wireless frequencies and Wi-Fi to avoid dead zones
- The ability to track and confirm message delivery
- The ability to set a maximum message data life (e.g., 30 days)
You should also think about the benefits of comprehensive systems, rather than single-purpose. Comprehensive messaging systems should easily integrate with your practice’s calendar, directory, customer relationship management system, single sign-on capabilities, and document-sharing service. More information on this can be found in our online Tools and Resources.
Finally, look into selecting a messaging system that offers instant access to documents, images, and resources within conversations, so you and your staff don’t have to switch apps (or context) to access critical information.
Still not sure how to make your texting HIPAA compliant? We’re here to help. MedPro Group has advised and protected the healthcare community for nearly 120 years. Their risk management experts can help walk you through this topic, and so many others, whenever you’re ready. Give them a call today at 800-4MEDPRO.
~ MedPro Group
(1) Greene, A. H. (2012, April). HIPAA compliance for clinician texting. Journal of AHIMA, 83(4), 34-36.
Texting is very useful but to stay compliant, wouldn't it be easiest to not use sensitive information on texts altogether? Without writing in code, wouldn't it be wise to ask the person to call the office for such information? While texting in regards to setting up appointments or such, what can or cannot be said? Can we use the patients name? Can we say that their appointment will be an exam? What I'm looking for is, what can and can not be said in a text to a patient that will keep it HIPAA compliant? How do we keep it simple yet use the technology?
ReplyDelete