The platforms can also be used to remotely erase and delete messages if a mobile device is lost or stolen, PIN-lock apps downloaded on mobile devices, and extract audit reports. Via user-friendly admin control panels, Covered Entities can use granular role-based permissions and use messaging policies. In relation to the security and integrity of PHI, all communications are saved on a private cloud and logically separated from other data. When integrated with EMR systems, patient information can be sent straight from the text messaging app to the EMR system – saving users important time. They allow HIPAA compliant voice and video calls, allow groups to work together remotely in a secure environment, and facilitate the sharing of files and images with other authorized users. The most recent generation of HIPAA compliant text messaging apps do more than support HIPAA compliant texting. HIPAA compliant text messaging apps have become to go-to way of resolving the question of “is text messaging HIPAA compliant?” The messaging apps work in much the same manner as commercial apps such as WhatsApp, Facebook Messenger, and Skype – so users are familiar with how they operate – but they operate within a safe, encrypted network with access controls and audit controls to meet the requirements of the HIPAA Security Rule. Even when these apps are deployed, it is still necessary to adhere with the Minimum Necessary Standard and the physical, technical, and administrative security measures of the HIPAA Security Rule. One final instance in which text messaging is HIPAA compliant is when the Covered Entity has put in place a solution such as a HIPAA compliant messaging app that has the necessary controls and encryption to support HIPAA compliant texting. healthcare providers) within a geographical location. In these instances it may be some, but not all, rules relating to texting patient data, and the waiver may be for a fixed time period only or apply to Covered Entities of a certain nature (i.e. Department of Health and Human Services waives the HIPAA rules for text messaging after a natural disaster like an earthquake or hurricane occurring.
Other instances in which text messaging is HIPAA compliant include employers who supply onsite clinics as an employee health benefit, who provide self-insured health plans for employees, or who act as an intermediary between workers, healthcare providers, and health plans. Both the warning and the consent must be recorded. Texting patient information to patients is permitted by HIPAA provided the Covered Entity has warned the patient that the risk unauthorized disclosure exists and has obtained the patient’s permission to communicate by text. It was referred to above there are circumstances in which SMS text messaging can be HIPAA complaint, and the most common circumstance worries in relation to HIPAA compliant texting to patients. There also has to be a way to stop the interception of plain text messages – or extraction of plain text messages from carriers’ servers – which is why the encryption of PHI in transit is strongly advised. It is simply impossible to implement audit trails for HIPAA compliant text messaging because the technology does not exist that can audit every possible operating system.Įven if there was a way to get around the HIPAA texting rules for access controls and audit controls, that would not make text messaging HIPAA compliant. This is why the HIPAA regulations for text messaging – or any other form of electronic communication – state that audit controls are necessary to record when PHI is developed, modified, accessed, shared, or erased. Additionally, mobile devices can be lost or stolen – which not only potentially exposes PHI to unauthorized access, but the data in the messages can be used to commit insurance fraud or identity theft. Reviewing these reasons in more depth, with regards to access controls, anybody can pick up an unattended mobile device and read the messages it contains. These include – but are not restricted to – the lack of access controls, the lack of audit controls, and the lack of encryption – which although an “addressable” requirement of the HIPAA Security Act, is about the only possible way to ensure the security of PHI on the move. There are many reasons why it is more secure for Covered Entities to prohibit texting PHI rather than permit it. There also has to be a strategy in place to manage who can access PHI, and what authorized personnel do with PHI when they access it.
HIPAA does not outright forbid sending PHI by text, but – in order for texting to be HIPAA compliant texting – security measures must be in place to ensure the confidentiality of PHI when it is at rest and on the move.
0 kommentar(er)
