- The Joint Commission announced in its May 2016 Perspectives newsletter. that it has ended its ban on clinician secure texting and secure messaging options.
While healthcare organizations may allow orders to be sent via text messaging, the commission also outlines the components that must be in place, the standards organizations must follow, and the necessary quality assurance activities to ensure security.
Text messaging was previously prohibited because of the concern over potentially unsecured text messages between providers, the commission explained in its newsletter, reported Eric Wicklund of mHealthIntelligence.com.
“In addition, texting applications were unable to verify the identity of the person sending the text or to retain the original message as validation of the information entered into the medical record. At the time, the technology available could not provide the safety and security necessary to adequately support the use of text messaging for orders,” wrote the commission.
However, there have since been several secure texting options introduced since the ban was put in place, according to the commission.
Providers should develop an attestation that documents their secure text messaging platform’s capabilities, according to the commission. Additionally, it will be critical to define appropriate texting orders and monitor how frequently texting is the option used for making orders.
A risk management strategy will also be beneficial, the commission added, along with thorough risk assessments. Staff training is also necessary, as employees at all levels need to understand all policies and procedures associated with a secure texting option.
The commission’s guidelines for acceptable secure texting included the following:
- A secure sign-on process
- Encrypted messaging
- Delivery and read receipts
- Date and time stamp
- Customized message retention time frames
- A specified contact list for individuals authorized to receive and record orders
Mobile device security is an increasingly hot topic in healthcare, especially as more organizations opt for BYOD strategies and begin to implement secure messaging or secure texting. Regardless of a covered entity’s size, it needs to understand and be aware of any guidelines, regulations, or standards when it comes to using those technologies in a secure way.
For example, the Office for Civil Rights (OCR) recently released a crosswalk that highlights areas that overlap in the HIPAA Security Rule and the NIST Cybersecurity Framework.
More mobile devices - and the use of secure texting - will likely only add to the issue of it becoming increasingly difficult to create an atmosphere that adequately protects ePHI, OCR explained.
“A HIPAA covered entity or business associate should be able to assess and implement new and evolving technologies and best practices that it determines would be reasonable and appropriate to ensure the confidentiality, integrity and availability of the ePHI it creates, receives, maintains, or transmits.”