As more and more people are using mobile and wireless devices, a new term - mHealth - has emerged. According to a National Institute of Health consensus group, mHealth is “the use of mobile and wireless devices to improve health outcomes, healthcare services and health research.” Historically, the biggest gaps and HIPAA violations have been linked to either the loss of or improper use of these types of devices, so healthcare providers need to pay close attention to their policies and procedures regarding these devices. This article focuses specifically on just appointment reminders and text messaging. For additional information regarding HIPAA, including the forms referenced below, please refer to the publication Complete & Easy HIPAA Compliance published by InstaCode Institute.

The 2013 Omnibus final rule states the following regarding your Notice of Privacy Practices (NPP):

“In particular, §164.520(b)(1)(iii) requires a separate statement in the notice if the covered entity intends to contact the individual to provide appointment reminders or information about treatment alternatives or other health-related benefits or services.”

Some providers mistakenly believe that if they send a reminder from their EHR (which is supposed to be HIPAA compliant), they don’t need to worry about anything else. However, the above statement from the Omnibus Rule makes it clear that more needs to be done. If your practice provides services that are considered highly sensitive (i.e., psychiatric services, HIV services, etc.), then the issue takes on even greater importance.

If you intend to provide appointment reminders, at the minimum, the following should be done:

• Update your “NPP” to include the proper notification regarding the type(s) of methodologies used to send appointment reminders. 
• Update your “Acknowledgement of Receipt of HIPAA Privacy Notice” to inform the patient about the risks of appointment reminders, especially if you plan on using text messaging. Give them the option to ‘opt-out’ if they so desire.
• Update your “Policies and Procedures” to include information on how appointment reminders are made and the security of those methodologies. Include terminology to indicate that employees are trained on this important subject.
• Update your “Employee HIPAA Privacy and Security Rules Acknowledgment” form to include your office policy regarding appointment reminders.
• Train employees on this subject and document that training in your “HIPAA Employee Training Log”. Be sure employees understand that only pre-approved messages may be sent from the EHR system. Also, they need to know that they may not use their personal cell phones to text reminders because of the security risks.
• If your practice provides highly sensitive information, you may wish to take extra precautions and consult with a healthcare attorney in your state for additional guidance.

Text Messages

Texting is a gray area of HIPAA because it can be a violation if it meets certain criteria. It all depends on how the message is worded, how it is sent, and the patient’s wishes. According to HealthIT.gov, “Text messages are generally not secure because they lack encryption, and the sender does not know with certainty the message is received by the intended recipient. Also, the telecommunication vendor/wireless carrier may store the text messages.” This unsecure nature increases the risk of a breach of PHI; however if the message does not contain PHI, then this lack of encryption is unnecessary on standard text message systems.

For security and breach prevention reasons, obtain a release from the patient in which they acknowledge that they understand that there are risks associated with texting appointment reminders. They still wish to receive appointment reminder text messages. They should also have a way to easily opt out of these reminders, such as including opt-out information in the text message. Another important thing to remember is that texting from phones is a different risk factor from texting from a computer or EHR system. This is why it is essential that employees are trained in the proper use of patient notification.

Warning: Just because you have a patient’s cell phone number on file does not mean you are authorized to use that number to send a text message. You must obtain written authorization from the patient in order to send them a text message.

Because of the increased risk of breach of PHI with text messaging over other forms of reminders, such as a phone call, if the provider intends to use text messaging, the patient needs to be aware of that risk and be able to choose to opt-out of such reminders. The NPP is the place to inform the patient of these risks. It is also important to include a separate statement in the “Acknowledgment of Receipt of HIPAA Privacy Notice” for the patient to state that they understand the risks involved and still wish to receive text message reminders. As such, a practice may want to consider subscribing to specific services that offer secure or encrypted texting such as DocHalo, TigerText, CorText or Sprint Enterprise Messenger-Secure.

Recommended reading:

• NIH- Text Messaging to Communicate With Public Health Audiences: How the HIPAA Security Rule Affects Practice
• mHealth Will Drive Physician Demand for Secure Text Messaging in 2014 -Jon Jansen, CTO at Doc Halo on www.hitconsultant.net

Old Text Messages/PHI
Providers need to be aware that old text messages or other data or files, which may include PHI, on smartphones or other electronic devices should be completely wiped clean before trading in or throwing them away. In fact, if your electronic devices contain PHI, that information should be protected to the highest levels of HIPAA security, including passwords and encryption, to minimize the risk of breaches. PHI should immediately be removed from those devices if that protection is unavailable.

More to Come 

Text messaging appears to be playing an increasing role in healthcare services. As such, better standards and understanding are necessary. In a document entitled “Health Text Messaging Recommendations to the Secretary,” which was written by the U.S. Department of Health and Human Services (HHS) Text4Health Task Force, we see that it is likely that the Office for Civil Rights (OCR) will offer more guidance in the future.

Delineating Privacy/Security Issues.

The Task Force recommends that HHS conduct further research into the privacy and security risks associated with text messaging of health information and establish guidelines for managing such privacy/security issues. Furthermore, mHealth issues should be discussed within the HHS Inter-Division Health IT Policy and Security Task Force. The exchange of health information via text messages raises privacy and security issues specific to this medium. Text messaging programs may be subject to numerous privacy and security laws, including the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules.

-Wyn Staheli, Chief Content Officer, InstaCode Institute