be Smart.
be Secure.
Phone: 800-441-6612

Unsecured Text Messaging = Willful Neglect

We have come across this scenario a number of times:

  1. Hospital knows that doctors are texting ePHI
  2. Hospital makes and informs of policies against it
  3. People are doing it anyway and Hospital management / IT staff know it
  4. Since a policy is in place, the infractions to the policy are ignored

This is willful neglect, folks.  This is the kind of thing that will come back to bite you and leave a serious wound.  Just having a policy does not protect your organization from infractions of that policy.  If you know (or even suspect) that infractions may be occurring, you are required to take action.

In a 2014 survey on Physician’s At-work texting habits (in Telemedicine and e-Health), researchers found:

  • 60 percent sent and 61 percent received work-related text messages.
  • 12 percent sent/received work-related text messages more than 10 times per shift.
  • 53 percent texted about work-related matters while not on duty.
  • The most common recipients of the respondents’ text messages were other pediatric hospitalists (68 percent), fellows or residents (37 percent) and consulting physicians (28 percent).
  • 46 percent reported having concerns about privacy standards with regards to texting.
  • 30 percent have received protected health information in a text message.
  • 11 percent said their organization offers a secure texting solution.

You best courses of action are to either really ensure that there is no texting going on, ever, or to provide a means where your staff can text in a HIPAA-compliant manner.

Why? Lets Review HIPAA

The HIPAA Omnibus Final Rule has a lot to say on this topic.

  1. Insecure texting of ePHI is a breach; breaches are associated with large penalties.  These penalties can be up to $50,000 per event (per text).
  2. The maximum penalties occur when there is willful neglect: e.g. disregard for the law.
  3. Under HITECH, you have a responsibility to investigate any possible breach that if “any person, other than the individual committing the breach, that is an employee, officer, or other agent of such entity or associate” knows or should reasonable have known a breach has taken place.
  4. So, if you have a policy against  something and know that people are violating that policy and your turn a blind eye — that is willful negligence.
  5. HIPAA requires that your staff are trained and knowledgable about what constitutes a breach, what does not, and how to file a complaint. Your staff must be fully aware of the ramifications of insecure texting.

The path to recovering from an averse environment is, fortunately, pretty clear:

  1. Decide if you will forbid texting or if you will provide your staff with a HIPAA-compliant texting solution so they can continue to do “business as usual” and will less tempted to text insecurely.
  2. Clearly document these policies
  3. Train all staff on the new policies: what is permitted, what is a breach, and how to report suspected breaches
  4. Ensure adoption: make sure staff know about your solutions, know how to use them, and are up to speed.

Leave a Comment

You must be logged in to post a comment.

• Access Anywhere
• Fast and Robust
• Super Secure
• Tons of Features
• Customizable
• Mobile Friendly

Send and receive email from your favorite programs, including:

 Microsoft Outlook
 Mozilla Thunderbird
 Apple Mail
 Windows Mail

... Virtually any program that supports POP, IMAP, or SMTP

Keep your email, contacts, and calendars in sync:

 Apple iPhone and iPad
 Android Devices
 Windows Phone

... Any device with Exchange ActiveSync (EAS) support

Relay your server's mail through LuxSci via smarthost:

• Resolve issues with ISP sending limits and restrictions
• Improve deliverability with better IP reputation and IP masking
• Take advantage of Email Archival and HIPAA Compliance
• Even setup smarthosting from Google Apps!

Free web site hosting with any email account:

• Start with up to 10 web sites and MySQL databases
• DNS services for one domain included
• Tons of features and fully HIPAA capable

LuxSci's focus on security and privacy:

• Read The Case for Email Security
• Read Mitigating Security & Privacy Threats
• Review our Privacy Policy

The most accurate, flexible, and trusted filters in the business:

• Premium protection with Intel Security Saas
• Realtime virus database guards against the latest threats
• Seven-day quarantine lets you put eyes on every filtered email
• Supplement with our Basic Spam Filter for even more features

End-to-end secure email encryption — to anyone, from anyone:

• No setup required — encryption is automatic and easy to use
• Secure outbound email with TLS, PGP, S/MIME, or Escrow
• Free inbound encryption via our SecureSend portal
• Independent of your recipient's level of email security
• Widely compatible and fully HIPAA Compliant

Add an extra layer of security with an SSL Certificate:

• Secure your web site
• Debrand LuxSci WebMail with your own secure domain
• Access secure email services via your own secure domain

Encrypt your service traffic via secure tunnel:

• Add another layer of security to your SSL connections
• WebMail, POP, IMAP, SMTP, web/database access
• SecureForm posts, SecureLine Escrow, SecureSend access
• Restrict your account to VPN access only

Secure long-term message archival:

• Immutable, tamperproof email retention with audit trails
• No system requirements — minimal setup, even less upkeep
• Realtime archival of all inbound and outbound messages
• Works anywhere — even with non-LuxSci email hosting

Free data backups included with all email hosting accounts:

• Automatic backups of all email, WebAides, web/database data
• Seven daily backups and up to four weekly backups
• Unlimited restores included at no additional cost
• Custom backup schedules for dedicated servers

Automate your email management:

• Save messages to specific folders or to LuxSci WebAides
• Advanced text scanning with regular expressions
• Tag messages, alter subject lines, or add custom headers
• Filter by message charset, type, TLS status, DKIM status
• Chain filters together for even more complex actions

• Bulk add and edit users, aliases and more
• Control sharing and access globally or on a granular level
• Delegate user roles through permissions
• Configure account-wide taglines, sending restrictions, and more
• Remotely administer account via SOAP API

Share, collaborate, organize, synchronize:

• Calendars, Contacts, Documents, Notes, Widgets, Workspaces
• Fine-grained access control and security
• Access anywhere via secure web portal or smartphone
• Save over solutions like Microsoft Exchange

Free folder sharing for all email hosting accounts:

• Share mail folders with other users in your account
• Subscribe to only the folders you want to see
• Set read-only or read-write access control
• View all personal and shared folders via unified web interface

Color code and label your email messages:

• Define and assign multiple IMAP keywords to each message
• Filter, search, and sort by tags
• Compatible and synchronizes with any IMAP email client
• Also usable with WebAide entries