Messaging often fails to meet HIPAA requirements

Using a smartphone to send a quick text message or e-mail has become second nature to most of us. But some healthcare providers take advantage of that convenience to communicate with colleagues and patients, not realizing that they could be violating HIPAA regulations by sending protected health information (PHI).

Consultants and attorneys who work with providers on HIPAA compliance say texting PHI is a fairly common problem. SMS text services and Apple’s iMessage do not meet HIPAA requirements that insist providers maintain the confidentiality, integrity and availability of PHI. Among the troubles with text messaging are keeping information from being seen by an unauthorized recipient, keeping it secure, and making sure the information is available in the patient’s medical record.

Behavioral providers who would like to use text messaging must exercise caution, says Sharon Hicks, a senior associate with Open Minds, a market research firm focused on health and human services. “Being able to informally communicate with people who are in treatment situations has shown some efficacy in studies,” she says, “but the technical aspects of getting it done correctly are arduous and keep people from exploiting the technology as broadly as it could be used.”

For example, she says, some studies indicate that text messages offering encouraging statements are reinforcing and help people stick to a care regimen.

“The difficulty is that you have to be careful not to put any protected health information in those messages,” she says.

And it’s just the content of the messages alone that must be considered.

“If a message includes personally identifiable health information, the principal risk I have seen is an unintended recipient,” says Nathan Mortier, an attorney with the firm Mellette PC in Williamsburg, Va. “We have all texted the wrong person. Many providers don’t realize that if they are going to be texting health information to other providers, if they text the wrong person protected health information, it becomes a breach subject to pretty stringent reporting requirements.”

Also, there could be medical decision-making taking place in a written format that is not being saved in the patients’ records, and therefore not available to future providers caring for the patients or the patients themselves. 

“What we have seen is that texting often replaces phone calls,” Mortier says. “Phone calls are not recorded and added to the medical record, but texts create a written record, and written records need to be included in the patient’s medical record if they include PHI and are relevant to a patient’s care,” he says.

Secure messaging apps

For messaging between providers, there are a number of new apps available on the market, and many of them purport to be compliant with HIPAA requirements. These apps generally require that individuals log in with a specific user name and password beyond what is on the mobile device. This helps ensure that the person entering information or using the service is verified, Mortier says. They may also have features that help automate the routing of messages to electronic health record (EHR) systems. Some EHR vendors are starting to offer add-on integrated secure messaging services.

Likewise, some health texting apps also include a feature that will limit the universe of recipients of information.

“Instead of having access to their entire contact list on your phone, it might only allow texts to other providers involved in that patient’s care,” Mortier says.

Another important feature of these applications is that they don’t store any information on the device. If a physician logs in to an EHR or secure texting app on a phone and views information, as soon as they close the app, that information is gone.

Many providers do some type of secure messaging with patients through their EHR’s patient portal. But as Open Minds’ Sharon Hicks notes, if you are trying to interact with someone on a daily or weekly basis, it becomes a burden for them to log in to get a secure message.

“If I am willing to log into the patient portal, you know I am already engaged,” she says. “Secure messaging is a potential way to help engage people who are not easy to engage.”

Healthcare-focused messaging services will eventually become popular, Hicks predicts, because both consumers and providers want an informal and easy way to communicate. “We are in this world where texting is normal, and it is much easier. We haven’t created the work flows to take advantage of all the new technology,” she says, “but people want ease of use and self-service tools because that is what they are used to in all other aspects of their lives.”

Expanding the use of text messaging

One behavioral provider network that relies heavily on its technology platform is considering how text messaging can play a bigger role in patient communications. New York-based AbleTo operates a network of 300 licensed therapists and behavior coaches around the country, providing psychotherapy to patients via phone or secure video on a proprietary platform it has created.

“Currently we are using text messaging as appointment reminders and for rescheduling, but when we think about text messaging, it is really about extending the treatment experience,” says Aimee Peters, chief clinical officer. “We have a patient portal that has digital tools available to the patient. As an extension of that, we think about providing notifications and suggestions to practice at home the skills they learn in therapy sessions.”

Text-based support provides an opportunity to celebrate wins and success, Peters adds. Patients can let therapists know they made progress or had an important event or breakthrough, and providers can reinforce that through text messaging back to the patient.

“It is also going to be used for patients to reach out to their therapist if they are stuck between sessions,” she says. “We can, in a timely way, get feedback to a patient about how to solve a problem or use a specific skill.”

Have a clear plan

Every healthcare organization should develop policies about how their providers communicate, and the use of mobile devices, Mortier says. They should be clear about what devices are permitted and what services are allowed.

“For some providers that don’t have a lot of resources, that could mean they don’t permit texting at all regarding patient information,” he says. “That doesn’t mean you can’t text to schedule a meeting; it just means you can’t have a discussion about a patient’s status or treatment using text messaging. It would have to be on the phone or using another secure method.”

If providers do have a system in place that is HIPAA-compliant, they have to make sure they not only have policies but that they are monitoring the use of communication methods on a regular basis, he adds.

“HIPAA requires not only that you have policies and procedures in place,” Mortier says, “but also that they are being followed.”

David Raths is a freelance writer based in Pennsylvania.

Secure messages by using direct protocol

The State of Arkansas’ health information exchange (HIE) offers healthcare providers access to patients’ labs, imaging reports and discharge summaries. Because EHR deployment is not as prevalent in the behavioral health space, the state has focused on helping those providers deploy secure messaging using the Direct protocol designed specifically for use in healthcare settings.

Direct messaging requires only a computer with a web browser. Direct uses identity validation, and the transport protocol has private/public encryption keys, so the message cannot be hacked, accessed or opened by anyone except the recipient who must also have a Direct address in order to participate.

Users can access the Arkansas HIE via the web and use Direct to message results to other providers.

“Because from a technology standpoint it is low-hanging fruit, we were able to roll that out pretty comprehensively across providers,” says Shirley Tyson, Arkansas’ interim health IT coordinator. “We have 114 behavioral facilities live today and 11 more in the process of implementing it.”

On average it costs between $50 and $75 per month for an Arkansas clinic to use Direct and the HIE.

“Getting access to clinical data from the primary care provider and the hospital is one of the biggest requests from the behavioral health community,” Tyson says. “There is also a lack of communication between behavioral providers when patients transition from one to the other.”

But getting behavioral providers to use Direct is not always easy. Trisha Stark, a licensed psychologist, founded the Minnesota Behavioral Healthcare Network to promote Direct secure messaging in order to help integrate care.

“The challenge we have run into is that the large systems of care, while they have Direct secure messaging, really didn’t want to allow community providers to interact with them via Direct.”

Instead, they have their own secure messaging tools for use within their own systems, she says. There are some Minnesota social service organizations using Direct messaging for referrals, and the health information service providers in the state have been reaching out to behavioral providers to get them signed up. However, it is going slowly, she says. “If large systems of care aren’t going to let community providers engage, that is a stumbling block we are really having trouble getting over.”