The fine for a single breach of HIPAA can be up to $63,973 per day that the vulnerability responsible for the breach is not attended to.
The fines for a breach of HIPAA can be considerable. Most messaging apps on mobile devices have no log-in or log-off requirements – so they do not comply with the technical safeguards for HIPAA texting – and, if a mobile device is lost or stolen, there is a significant risk that messages containing PHI could be released into the public domain. However, with an estimated 80% of medical professionals now using personal mobile devices, there is a considerable risk of PHI being accessed by unauthorized personnel. Indeed, many healthcare organizations have been keen to implement “bring your own device” (BYOD) policies because of the speed and convenience of modern technology and due to the cost-saving benefits. Over the past few years, more and more medical professionals have come to rely on their personal mobile devices to support their workflows. Texting in violation of HIPAA is a major problem for healthcare organizations. How This Creates a Problem for Healthcare Organizations For these reasons (and many more) communicating PHI by standard, non-encrypted, non-monitored and non-controlled SMS or IM is texting in violation of HIPAA. There is no message accountability with SMS or IM text messages because anybody could pick up someone´s mobile device and use it to send a message – or indeed edit a received message before forwarding it on. Copies of SMS and IM messages also remain on service providers´ servers indefinitely with no means of remotely retracting or deleting them. They could be sent to the wrong number, forwarded by the intended recipient to somebody else, or intercepted while in transit. Senders of SMS and IM text messages have no control over the final destination of their messages. Standard “Short Message Service” (SMS) and “Instant Messaging” (IM) text messages often fail on all these counts. Data transmitted beyond an organization´s internal firewall should be encrypted to make it unusable if it is intercepted in transit.Policies and procedures must be introduced to prevent PHI from being inappropriately altered or destroyed.Those with authorization to access PHI must authenticate their identities with a unique, centrally-issued username and PIN.A system must be implemented to monitor the activity of authorized users when accessing PHI.Access to PHI must be limited to authorized users who require the information to do their jobs.The technical safeguards of the HIPAA Security Rule are the most relevant towards answering the question “When is texting in violation of HIPAA?” This section of the HIPAA Security Rule concerns access controls, audit controls, integrity controls, methods for ID authentication, and transmission security mechanisms when PHI is being transmitted electronically. The Technical Safeguards of the HIPAA Security Rule It is also okay to send messages by text when mechanisms are in place to comply with the technical safeguards of the Security Rule. It is okay for a doctor to send text messages to a patient, provided that the message complies with the “minimum necessary standard”, the patient has given their authorization to be contacted by SMS text and warned of the risks of communicating personal information over an unencrypted channel. So, for example, it is okay to send messages by text provided that the content of the message does not include “personal identifiers”. These rules do not mention texting per se, but they do lay down certain conditions that apply to electronic communications in the healthcare industry. Depending on the content of the text message, who the text message is being sent to, or the mechanisms put in place to ensure the confidentiality and integrity of Protected Health Information (PHI), texting can be in HIPAA-compliant in certain circumstances.Īny misunderstanding surrounding texting being in violation of HIPAA comes from the complex language used in the Privacy and Security Rules. To say that texting is in violation of HIPAA is not strictly true. Is Texting in Violation of HIPAA? Is Texting in Violation of HIPAA?
0 kommentar(er)
