Preparing Emergency Text Notification for Business in a HIPAA Compliant Age

Businesses subject to HIPAA regulations have to take care when using emergency text notification systems to ensure Protected Health Information (PHI) is not disclosed without authorization. HIPAA compliance policies can be difficult to enforce during an emergency, but a little preparation can help mitigate the risk of a HIPAA breach.

Emergency text notification systems for business are an effective way to alert personnel to an emergency incident in healthcare environments (such as fires, active shooter events, and severe weather), especially when they are integrated with other alert systems such as sirens, visual alarms, and digital signage. However, in a healthcare environment, medical personnel are subject to HIPAA regulations which prohibit the unauthorized disclosure of Protected Health Information (PHI).

Under normal circumstances, it is difficult to think of many scenarios in which an emergency text notification for business would contain PHI. However, in a stressful emergency situation, the risk exists medical personnel might inadvertently disclose PHI while sending an emergency text notification, or that the notification might be received by individuals outside the healthcare environment who don´t appreciate the significance of the PHI and forward the notification to other individuals.

Emergency Text Notification Systems are Not HIPAA Compliant

Emergency text notification systems that send alerts via multiple communication channels are not HIPAA-compliant because the devices on which notifications are received do not have mechanisms to comply with the technical specifications of the HIPAA Security Rule – for example encryption, access controls, and automatic log-off. Furthermore, copies of SMS text messages, emails, and social media postings remain on service providers´ servers permanently with no means of retracting them.

Nonetheless, emergency text notification systems – especially those which integrate with other alarm systems – are the most effective way to comply with the Communication Plan requirements of the CMS´ Emergency Preparedness Rule. Depending on how the system is utilized, it can also be the most effective way of coordinating emergency response and ensuring business continuity during a long-term emergency. Therefore HIPAA covered entities need to take steps to mitigate the risk of a HIPAA breach.

How to Mitigate the Risk of a HIPAA Breach in an Emergency Text Notification

The best way to avoid accidental disclosures of PHI in an emergency text notification is to have notification templates prepared in advance. The CMS´ Emergency Preparedness Rule stipulates healthcare environments should plan responses to events such as pandemics, nuclear explosions, and natural incidents. It is a good idea not only to prepare notification templates for these types of events, but also for fires, active shooters, and the likely types of severe weather for the area.

In order to prevent individuals receiving emergency text notifications not intended for them, the personnel database should be segmented by role, location or other attribute in order to ensure the right people receive the right messages at the right time. In the event of an active shooter, for example, you only want the individuals in the immediate vicinity to initiate a lockdown. Alerting everyone else to the event may cause unnecessary panic that could hinder emergency response efforts.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.