I think we can all admit that unsecured healthcare texting between clinicians is happening despite prohibitions etc. Ah, yes, Prohibition…forbid what people want and that is easy for them to do…. that worked so well in the 1920s! But I digress.
Some of the clinicians I have talked with admit to clinical texting with their personal devices but think that since both they and the receiver of the text both meet the HIPAA guidelines for accessing protected health information (PHI) then everything is ok. But they are missing the monster underneath the bed…the communication company such as AT&T, Verizon, etc.!
Most clinicians don’t think about the fact that their text messages are not only unsecured during transmission through the Internet, but are being stored on their telecommunication vendor’s servers. These telecommunication vendors are unlikely to have entered into a business associate relationship as defined by law with each covered entity, for example both the hospital and the individual healthcare provider. This situation definitely qualifies as a monster that is lying in wait…in the form of HIPAA violations.
According to the HIPAA Journal, the Department of Health and Human Services is charged with enforcement of HIPAA through the Office of Civil Rights (OCR) and is “taking a particular interest in the use of mobile technologies and communication of PHI in healthcare centers and between healthcare providers.”1 I think it is logical to assume we are going to be seeing financial penalties in the very near future.
But what is a healthcare organization to do? Buy the cheapest and easiest thing on the market? Or look for a partner who can quickly shore up HIPAA defenses, while providing a phased approach to creating a true clinical communications infrastructure?