[ Friday, September 02, 2016 ]


Q from @JShafer817:  We do not encrypt SMS messages and they are absolutely not secure enough for PHI in general, whether or not we encrypted them for out part of the journey.  In other words Jeff.. SMS sucks.. and once it leaves the server it isn't encrypted anyways...  So.. should SMS be used for... appt confirmations???

A: HIPAA requires reasonable safeguards to protect the confidentiality, integrity and availability of PHI.  It does not require or expect perfection.

Covered entities are required to do a risk analysis of their operations, determine what safeguards are appropriate, and adopt those reasonable safeguards.  A covered entity may determine that the increased benefits of a particular modality over a second modality outweigh the increase in safety the second modality provides.  For example, a covered entity may determine that the lower costs of a postcard reminder notice (versus an enclosed letter) outweigh the increased risk of postcard versus letter, given the minimal nature of the PHI that is or could be exposed.  While a provider like a dentist might make that decision (“who cares if everyone knows I go to the dentist?”), a provider who deals with much more sensitive information, such as an infertility specialist or oncologist, might determine that the increased risk is not worth the cost savings.  Likewise, a provider might determine that postcards are good for certain communications (annual appointment reminders) but not others (transmitting lab results), and should always insure that the minimum necessary information is included, regardless of the transmission mechanism.  Those are legitimate choices, and in proper circumstances would be reasonable under HIPAA.

The question regarding texting is similar.  Unencrypted texting is less secure than encrypted texting, and much less secure than communication via a patient portal.  But using an encrypted texting solution or patient portal adds complexity that might be sufficient to cause the patient to not utilize the service, and therefore entirely lose the benefit of good communications with his/her provider.  In that case, the benefit of ensuring increased and effective communication might outweigh the risks of using unencrypted texting instead of a more secure means of communication.  In either case, secure email or insecure texting, the minimum necessary information should be included.

Thus, as long as the provider has done a proper risk analysis of the issue (and I would recommend documenting the determination), SMS texting could be allowed under HIPAA, in the right circumstances.

PS: please remember this is not legal advice; consult your own attorney; your mileage may vary.

Jeff [9:44 AM]

Comments: Post a Comment
http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template