- Communication technology is quickly evolving, and many healthcare providers are trying to keep pace. They could be looking to implement secure texting options or even consider communicating with patients through social media, but HIPAA rules cannot be overlooked in the process.
Employee training is one of the major challenges when it comes to social media use and HIPAA regulations, Foley & Lardner LLP Partner Mike Overly told HealthITSecurity.com.
“Healthcare personnel are frequently absolutely astonished when we talk with them about using these types of means to talk to their patients and the potential data that’s being shared,” Overly said.
For example, he said that a dermatologist could receive a picture on his smartphone from a patient. The intent is that the dermatologist could determine whether the patient needed to come in or not. However, Overly explained that an individual’s GPS location could be embedded in the photo.
“When that photo is transmitted, the physician will say it might not identify the individual in the photo,” he stated. “Yes it does. They’re identified by their home address most likely, because that’s likely where they took the photo.”
Part of the issue is making sure that healthcare professionals understand that although these are great ways to communicate with patients because it is so easy to do, there are some fundamental privacy problems.
With secure texting solutions in healthcare, providers need to ensure they are not sending PHI through standard texting options, Overly noted. Even using other types of texting, such as iMessage, is using a third-party application that may not be entirely secure. Or some messaging applications will allow the third party to do things with the data, such as statistical analyses of the text received and by whom.
“These issues quickly become somewhat profound, and the question is, does the patient understand that their information or the content of the text are not really secured?” he asked. “And that they can’t be readily secured unless we’re talking about installing a specialized app?”
Having to install an application on both ends may frustrate some patients who see this as an easy means to communication, Overly said.
Matt Fisher, chair of Mirick O’Connell’s Health Law Group agreed, and added that it is a common misunderstanding for individuals to assume that a third-party messaging solution is entirely secure.
“One thing that’s gotten a lot of press recently is M10 encryption,” Fisher said. “People think, ‘Oh we can use WhatsApp because it’s secure from its end to end encryption. However, that’s really not that accurate.”
With WhatsApp specifically, there are individual sign-ups for accounts, he explained. Once that happens the individual is fully outside the control of the covered entity where a physician or another provider is working.
“Healthcare providers need to try not to get caught up in the hype of how some of these tools function, but actually be careful to evaluate how it can be appropriately utilized in a healthcare context,” Fisher noted.
How HIPAA regulations apply to texting, social media
It is important to note that HIPAA rules do not directly contemplate secure texting or social media use, Fisher explained. Most of the Rules predate the widespread use of either type of platform. However, the underpinning of both the Privacy and Security Rules help guide and inform how healthcare utilize texting or social media.
“From the texting perspective, this is a form of communication that’s a means of sending information, whether it’s from a provider to a patient or a provider to provider,” he said. “And when you’re coming at it from that perspective, you want to make sure you’re securing whatever information is sent in the text message.”
With provider to a patient communication, the covered entity would need to have consent from the patient, or direction from the patient to utilize that type of means of communication to make sure that they want to receive information in that manner, Fisher explained. This means that if the provider is using an unsecured platform, such as iMessage or WhatsApp, those are not an enterprise level type solution.
Everyone must understand the risks that there could be, that the data could be going outside of their control.
“If you’re talking about text messaging between providers, then obviously organizations can take more control and have more consistent control of what’s going on,” he added. “They should be restricting usage of platforms to ones that meet HIPAA standards, whether both in the technology of the text messaging solution and, depending on the vendor as the vendor could be hosting the data, you want to make sure you have a business associate agreement and other appropriate agreements in place to the extent that they would be hosting information.”
With social media use, those for the most part are very public platforms, Fisher pointed out. Organizations are not going to be control or contain where their data is going. For the most part, covered entities want to avoid having specific communications or interactions with patietns in specific instances of trying to share medical advice.
He noted though that there is a lot of creative ability to be able to send information to a lot of different places. When PHI is not being communicated, and a provider is trying to provide informational or educational messages, such as describing services it offers, then social media use could be very beneficial.
Overly agreed, and reiterated the importance that if providers are using a secure texting option to send PHI it is important to keep HIPAA regulations in mind. This is especially true if a provider is communicating with a patient over a question the patient had regarding his or her health.
However, it is currently “the wild west” sometimes in secure texting and secure messaging options, he added. Even the more sophisticated healthcare providers may not have a uniform approach. If there is a secure texting policy in place, not all personnel may adhere to it all the time.
“Everyone has a smartphone, and everyone talks to a patient who says they’re worried about something and the physician says, ‘You can text me with a question. Is that compliant with the hospital’s policy or not?” Overly asked. “Does the physician understand that there is a policy out there?”
A lot of institutions are working to train their employees on this issue, he added, which is critical to keep PHI secure.
“What we’re seeing instead is, healthcare professionals are very busy people,” Overly said. “And they’re going to do what they believe is in the best interest of their patient, which is always a good thing. The problem is, they’re going to do that potentially using an unsecure means of communication.”
Fisher emphasized though that HIPAA does not prevent innovative and new technologies.
“It does not necessarily care about what you are using,” Fisher said. “It just is setting a baseline for security and privacy standards.”
Furthermore, HIPAA should not be used as an excuse and a barrier, he stated. HIPAA can present opportunities and help incorporate protections and certain use patterns within different tools, whether it’s texting, social media, or other technology.
“HIPAA is too often cited as something to stop innovation, where if you understand it and incorporate it early on, it can actually help get to an endpoint that is going to be able to provide real benefits to everyone within healthcare.”