Over the last couple of years, we have seen explosive popularity and utilization of text messaging among our providers – and for good reason. Text messaging has a number of advantages over the antediluvian alternative: pagers.
However, text messaging popularity, mixed with nebulous particulars of compliance within HIPAA / HITECH, leaves a significant question unanswered – is text messaging really HIPAA / HITECH compliant? The answer varied, depending on who you asked or where you looked. The understanding has always been that text messaging is indeed compliant, therefore, so commonly used by medical practitioners.
Recently, the US Department of Health and Human Services (HHS) made some key modifications to the HIPAA Privacy, Security, Enforcement and Breach Notification rules. The good news: the new rules clearly define what means of communicating protected health information (PHI) are compliant and what is not. The bad news: text messages, even emails, are NON-COMPLIANT, under most circumstances. More bad news: you have until September 23rd
, 2013 to come up with an acquiescent method of communication.
Now don’t go and sell the practice just yet! Cosmopolitan has a solution that you will love, but more on that in just a moment. First, let’s briefly delve into why text messaging is non-compliant and what your options are moving forward.
It all boils down to who is considered a Business Associate. The new rules expand the definition to any vendor or subcontractor exposed to, or with access to PHI.
Did you catch that? Effective September 23rd
, if you are texting PHI, your wireless carrier will become your Business Associate. Because the PHI from your texts are stored on your wireless carrier’s server (even for a moment), they must be treated as a Business Associate. Don’t think your wireless company stores your data? Take a moment to read this article from Wired Magazine
. Now, here are your options:
: Hurry and call your wireless carrier and have them sign and return your BAA. You know, the one with specific verbiage that states your new Business Associate be in compliance with HIPAA Privacy and Security requirements. Don’t forget to double check that their employees and all subcontractors receive proper HIPAA / HITECH training. Lastly, have them confirm that their switches, servers, and data circuits are secure and compliant.
To process / store your patient’s PHI, HIPAA / HITECH requires:
- secure servers
- controlled access to the servers
- controlled access to server rooms based on a need to have access basis only
- security training at least twice a year
- BAA with the carrier
- BAA with any outside vendors who work with the switches, servers, and software
It’s subtle – I know, but option 1 was all in jest. Now here is a practical solution – and it’s simple: just don’t use your wireless carrier to communicate PHI. This way they are not a Business Associate, no BAA is required, and HIPAA / HITECH compliance is a non-issue.
But that still doesn’t solve your communication problem. This is where your web-enabled device (smart phone, tablet, iPad, ect.) and Cosmopolitan’s Secure Messaging app come in. Our app communicates exclusively with our call-taking software. Our Secure Messaging app utilizes SSL (Secure Socket Layer) technology for encryption, decryption, and Sender/Receiver authentication—the same technology that protects sensitive information and financial transactions on major websites. But to use our Secure Messaging app, it’s not necessary for you to acquire or install SSL certificates – it’s all built in.
This is not the same as the text messaging service provided by your wireless carrier. This is a third-party solution that uses your internet connection (Wi-Fi or wireless) to send and receive encrypted messages. The app has the look and feel of traditional text messaging, yet is in complete compliance with HIPAA / HITECH regulations. The app also has additional, critical features that make managing messages easier and also help keep YOU compliant. These features include:
- Password protection for access to the app.
- The ability to send and receive device-to-device, encrypted communication. You can securely communicate with colleagues, the office, and Cosmopolitan.
- No requirement to log into an immediate server or website. Messages are received on the device.
Contact your Cosmopolitan Account Manager, who will be happy to answer any questions you may have about our Secure Messaging app, or the new HIPAA / HITECH rules affecting text messaging. If you currently use text messaging, your Account Manager will be contacting you shortly to assist you with the transition from text messaging to the app.
Email is also affected by the new rules. In my next web log, we will discuss the restrictions imposed by the new rules in regards to email and PHI, and the solutions and new features that Cosmopolitan will be offering to remain in compliance.