[ Friday, September 02, 2016 ]
Jeff [9:44 AM]
Q from @JShafer817: We do
not encrypt SMS messages and they are absolutely not secure enough for PHI in
general, whether or not we encrypted them for out part of the journey. In
other words Jeff.. SMS sucks.. and once it
leaves the server it isn't encrypted anyways... So..
should SMS be used for... appt confirmations???
A: HIPAA requires reasonable safeguards to protect the
confidentiality, integrity and availability of PHI. It does not require
or expect perfection.
Covered entities are required to do a risk analysis of their
operations, determine what safeguards are appropriate, and adopt those
reasonable safeguards. A covered entity may determine that the increased
benefits of a particular modality over a second modality outweigh the increase
in safety the second modality provides. For example, a covered entity may
determine that the lower costs of a postcard reminder notice (versus an
enclosed letter) outweigh the increased risk of postcard versus letter, given
the minimal nature of the PHI that is or could be exposed. While a
provider like a dentist might make that decision (“who cares if everyone knows
I go to the dentist?”), a provider who deals with much more sensitive
information, such as an infertility specialist or oncologist, might determine
that the increased risk is not worth the cost savings. Likewise, a
provider might determine that postcards are good for certain communications
(annual appointment reminders) but not others (transmitting lab results), and
should always insure that the minimum necessary information is included,
regardless of the transmission mechanism. Those are legitimate choices,
and in proper circumstances would be reasonable under HIPAA.
The question regarding texting is similar. Unencrypted
texting is less secure than encrypted texting, and much less secure than
communication via a patient portal. But using an encrypted texting
solution or patient portal adds complexity that might be sufficient to cause
the patient to not utilize the service, and therefore entirely lose the benefit
of good communications with his/her provider. In that case, the benefit
of ensuring increased and effective communication might outweigh the risks of
using unencrypted texting instead of a more secure means of
communication. In either case, secure email or insecure texting, the
minimum necessary information should be included.
Thus, as long as the provider has done a proper risk analysis of
the issue (and I would recommend documenting the determination), SMS texting
could be allowed under HIPAA, in the right circumstances.
PS: please remember this is not legal advice; consult your own attorney; your mileage may vary.
Blogger: HIPAA Blog - Edit your Template