Unsecured Text Messaging = Willful Neglect
We have come across this scenario a number of times:
- Hospital knows that doctors are texting ePHI
- Hospital makes and informs of policies against it
- People are doing it anyway and Hospital management / IT staff know it
- Since a policy is in place, the infractions to the policy are ignored
This is willful neglect, folks. This is the kind of thing that will come back to bite you and leave a serious wound. Just having a policy does not protect your organization from infractions of that policy. If you know (or even suspect) that infractions may be occurring, you are required to take action.
In a 2014 survey on Physician’s At-work texting habits (in Telemedicine and e-Health), researchers found:
- 60 percent sent and 61 percent received work-related text messages.
- 12 percent sent/received work-related text messages more than 10 times per shift.
- 53 percent texted about work-related matters while not on duty.
- The most common recipients of the respondents’ text messages were other pediatric hospitalists (68 percent), fellows or residents (37 percent) and consulting physicians (28 percent).
- 46 percent reported having concerns about privacy standards with regards to texting.
- 30 percent have received protected health information in a text message.
- 11 percent said their organization offers a secure texting solution.
You best courses of action are to either really ensure that there is no texting going on, ever, or to provide a means where your staff can text in a HIPAA-compliant manner.
Why? Lets Review HIPAA
The HIPAA Omnibus Final Rule has a lot to say on this topic.
- Insecure texting of ePHI is a breach; breaches are associated with large penalties. These penalties can be up to $50,000 per event (per text).
- The maximum penalties occur when there is willful neglect: e.g. disregard for the law.
- Under HITECH, you have a responsibility to investigate any possible breach that if “any person, other than the individual committing the breach, that is an employee, officer, or other agent of such entity or associate” knows or should reasonable have known a breach has taken place.
- So, if you have a policy against something and know that people are violating that policy and your turn a blind eye — that is willful negligence.
- HIPAA requires that your staff are trained and knowledgable about what constitutes a breach, what does not, and how to file a complaint. Your staff must be fully aware of the ramifications of insecure texting.
The path to recovering from an averse environment is, fortunately, pretty clear:
- Decide if you will forbid texting or if you will provide your staff with a HIPAA-compliant texting solution so they can continue to do “business as usual” and will less tempted to text insecurely.
- Clearly document these policies
- Train all staff on the new policies: what is permitted, what is a breach, and how to report suspected breaches
- Ensure adoption: make sure staff know about your solutions, know how to use them, and are up to speed.
- To Text or Not To Text: Texting under HIPAA
- Infographic: Texting in healthcare – a not-so-simple exchange
- SMS is Broken and Hackers can Read Text Messages. Never use Regular Texting for ePHI.
- Press Release: How To Text and Remain HIPAA-compliant
- Email and Text Messaging Security in the Wired and Wireless Worlds