Healthcare News & Insights

Text messaging & HIPAA: Is your hospital secure?

Following HIPAA laws to the letter is of utmost importance to hospitals. Patients’ protected health information (PHI) must be kept secure from data breaches. But are healthcare professionals as committed to privacy efforts as they should be? Results from a new survey give insight into the current state of HIPAA enforcement in health care, particularly regarding text messaging. 

151907743Scrypt, a company designed to help healthcare organizations collaborate securely, surveyed 1,800 healthcare professionals to ask them about their attitudes toward HIPAA and secure communications. It summarized the results in a report published online.

Out of all respondents, 80% said their own knowledge of HIPAA compliance was either good or very good. But over half of them (56%) said their organization could do more to educate other employees about HIPAA compliance and the rules that govern the sharing of PHI when communicating.

Mobile messaging & PHI

Despite their self-reported knowledge of HIPAA laws, many healthcare professionals willingly participate in practices that aren’t entirely secure when discussing patients’ PHI – especially when communicating using mobile devices.

Although 78% of participants said they use mobile messaging to communicate with other staff and providers at work, 52% of them either knew their organization had no policy controlling mobile messaging, or weren’t sure if a policy existed.

Even worse: Of those who use mobile messaging at work, 70% of them do so using methods that don’t pass HIPAA security standards, including their phone’s built-in messaging app, Skype, Google Hangouts, Facebook Messenger, Apple’s iMessage (found on iPhones, iPads and iPods) and WhatsApp (a third-party private messaging app).

Only about a quarter said they send messages using a secure solution designed for healthcare professionals that fully protects PHI.

Healthcare professionals are sending sensitive information to each other via text message. In fact, 83% of those who use mobile messaging have received patient health information through texts, mostly from colleagues, patients or a combination of both.

Much of the information they’re sending in text messages falls under the PHI umbrella, including patients’ names, geographic locations, health plan beneficiary numbers/Social Security numbers and full-face photographic images.

Among healthcare professionals who text PHI to others, there’s a divide over whether the information is actually secure. While 51% were either very or moderately confident that the information they received was secure, 49% weren’t very confident at all.

This suggests that some healthcare pros are more confident in the security of outside messaging apps than they should be – especially those who use apps that aren’t specifically designed to protect PHI.

Hospitals’ next steps

For many healthcare providers, the convenience of text messaging outweighs any potential risks. Plus, if they text often without incident, they may be lulled into a false sense of security. Hospitals need to nip that line of thinking in the bud.

It’s in your facility’s best interest to come up with a specific policy that addresses the use of text messaging when relaying details about PHI to patients and clinical staff. The policy should cover the appropriate use of PHI, including who’s authorized to receive it and how it should be sent.

All devices that send PHI should be encrypted – even employees’ personal smartphones and tablets. In addition, using a secure messaging solution designed to protect PHI is the preferred method of communicating information.

However, if your hospital doesn’t have a secure texting solution, and patients still want to communicate with providers by text, patients must be informed of the risks of using standard apps. They must indicate they understand the dangers of unsecured messaging, and this permission should be granted in writing.

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.