Unencrypted Hospital Communications are HIPAA Violations

Text messages may be a quick and convenient method of communication for doctors and healthcare professionals; however two medical professionals from North Carolina have recently discovered that the use of unsecured text messages to transmit medical data is a HIPAA violation.

For the professionals concerned, the action was innocent and believed to be in the best interest of the patient. A doctor was visiting a patient at a nursing home and requested that a nurse send the patient’s laboratory results via text message. The message was sent and only two people viewed the patient data, both of whom were authorized to access the records. However by sending the data over an unencrypted and insecure connection, the records could potentially have exposed to a third party. Text messages can be used in healthcare, but in order to be HIPAA compliant data has been encrypted.

The nursing facility was given an e-class deficiency by The Centers for Medicare & Medicaid Services (CMS) which resulted in a 10-point Directed Plan of Correction (DPOC) which must be implemented within 15 days. The breach did not involve any harm being caused, although there was potential for more than minimum harm to have been caused as a result of the communication. Had the data been intercepted or accessed by an unauthorized individual the penalty would have been much more severe.

The DPOC plan involves the appointment of a dedicated HIPAA compliance officer and to revise procedures and policies to ensure compliance. Training must be provided to all staff on the importance of data security and on identity theft, with the sessions provided by an expert from outside the company. Training must be provided onsite, with face to face training of the staff, including the center’s doctors. A security breach emergency plan must also be developed and put in place and the person(s) affected by the potential breach must be notified of the HIPAA violation and the actions being taken to prevent future security issues.

The government is taking a hard line on violations of HIPAA, even when no data has been lost or accessed by unauthorized individuals. Wearables and mobile devices are used extensively in the healthcare industry and have security vulnerabilities and healthcare organizations are being warned that great care must be taken when using these devices to ensure HIPAA laws are not accidentally breached.

A recent study published in Telemedicine and eHealth indicates that the use of text messages in healthcare is extensive and doctors and medical professionals are committing HIPAA violations on a regular basis. The survey involved 97 pediatric hospitalists who were asked to comment on the use of text messages at work. The results are alarming: 60% of respondents admitted sending work related texts, while 61% received them. 30% of those in the survey admitted receiving unencrypted PHI via text message.

Rapid and timely communication can greatly reduce costs in healthcare; however it is essential that all communication channels remain fully HIPAA compliant and that no unencrypted text messages containing PHI are sent. An encrypted text service must be used to ensure text messages cannot be intercepted to ensure full compliance with HIPAA regulations.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.