Reaction and Analysis: Office of Civil Rights Takes a Position on Text Messaging in Healthcare
If you ask a group of people that work in healthcare about whether texting is a compliant form of communication, you are likely to get a wide variety of answers: “you can,” “you can’t,” “you can, but no PHI,” “PHI is fine.” There has long been a desire for clarity on this grey and murky topic. At HIMSS 2018, Roger Severino, Director of the US Department of Health and Human Services Office for Civil Rights (OCR), shed some much welcome light on compliance around healthcare texting.
Before we get to Severino’s comments, let’s address why everyone is so confused.
Two types of texting defined
There are two different types of texting that operate very differently and serve very different needs but are both commonly referred to as the same term, “texting.” The first type is what general consumers think of as texting, or Short Message Service (SMS) to use its technical term. This is the texting that is a default app on your phone and paid through your carrier that many people use to send and receive texts every day. It is unsecure. For clarity, I will refer to this as SMS. The second type is proprietary app based, with multiple different app providers. It is used by healthcare providers (mostly doctors and nurses) to communicate to one another on patient-related care inside and outside the walls of the health center. It can also be used by providers to communicate with patients provided the patient has downloaded and created an account for the app being used. It is secure. For clarity, I will refer to this as Secure Texting.
PHI and texting
Handling PHI through texting is the source of a lot of confusion and debate. Because of their Provider-to-Provider focus, Secure Texting needs to meet certain technical standards for HIPAA compliance:
- encryption of message data in transit and at rest
- reporting/auditability of message content
- passcode enforcement
- permissions management capabilities
With these safeguards in place, PHI of all risk levels can be communicated through that channel.
SMS is an unencrypted channel, so one might assume no PHI can be sent. Actually, that is not true. Encryption is not mandated. Instead healthcare companies must assess whether encryption is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting PHI. If encryption is not deemed reasonable and appropriate, the covered entity must implement alternative safeguards.
Because the SMS format is fundamentally incapable of encryption, companies have the discretion to make a case-by-case determination under HIPAA whether it is reasonable and appropriate for SMS texts to contain PHI. A key factor is the nature of the PHI to be disclosed. Many healthcare companies are comfortable including low risk PHI in SMS texts, such as a patients first name, the fact the patient has a medical appointment, or has a medical condition (without specifying what the medical condition is). So, under current policy, while it is not explicitly defined, low risk PHI can be sent through the text channel within the boundaries of HIPAA guidelines.
The 2017 Clarification on Secure Texting and Patient Orders
Since 2011, there has been considerable back-and-forth on whether Secure Texting can be used for communicating patient orders. In December 2017, the Joint Commission issued a clarification explicitly stating the use of Secure Texting for patient orders is prohibited. The document also recommended healthcare organizations should have policies prohibiting the use of SMS for communicating PHI. Expanding on this statement, the Joint Commission explained ‘Organizations are expected to incorporate limitations on the use of unsecured text messaging in their policies protecting the privacy of health information’ Joint Commission 2017. This position is in-line with the broader HIPAA Security Rule policy requiring healthcare organizations weigh the risks and benefits of sending unencrypted text messages.
The HIPAA Omnibus Final Rule
In 2013 the HIPAA Omnibus Final Rule allowed healthcare providers to communicate PHI with patients through unencrypted e-mail as long as the provider informs the patient that their e-mail service is not secure, gains the patient’s authorization to accept the risk, and documents the patient’s consent. This clarified the use of email for provider to patient communications. (Just to be clear providers cannot communicate PHI to one another using unencrypted e-mail).
Notably, the rule did not mention anything about SMS, which is somewhat frustrating as SMS is the most widely adopted communication channel by just about everybody. Some interpret the rule as applying to SMS as well because both are unencrypted electronic channels. Others want more clarity.
Clarity from OCR
Speaking at the HIMSS health IT conference in Las Vegas on March 6, Roger Severino, said that healthcare providers may share PHI with patients through standard (SMS) text messages. Providers must:
- warn their patients that texting is not secure
- gain the patients’ authorization
- document the patients’ consent
Severino’s comments are yet to make it into policy, but the OCR has long-promised guidance on this topic. As the country is in a period of intense deregulation, it is reasonable to assume a ruling on the topic is imminent.
What does this mean for healthcare companies?
That depends on whether the healthcare company is already using SMS to reach and engage their patients. Many companies have well-established SMS programs. SMS has bubbled to the top as the most effective channel to engage patients about their health:
- Increased chronic condition medication adherence from 30% to 44% in a non-adherent Medicare population read more
- Reduction in members reporting they would use the Emergency Department for a minor condition from 11% to 4% read more
- Reduction in procedural no-goes by 50%
Many healthcare companies are comfortable with the unencrypted nature of the channel and include PHI in line with their compliance department’s requirements. For these companies my advice would be to continue to drive as much value through the SMS channel while meeting current compliance guidelines. These companies will then be in a position to capitalize most when there is a change in policy that increases the breadth of use cases for which SMS can be used to engage patients and health plan members.
For companies that are not using the SMS channel to engage patients, I see this as clear notice that SMS is a channel where you should invest. 95% of the adult population uses the SMS channel and 98% of SMS texts are read. No other channel has that level of adoption and engagement. Because of this reach, the impact of the SMS on both clinical and administrative outcomes is well established and will only go up with policy that increases the breadth of use cases for which the channel can be used.