Tag Archive for: security rule

Secure Text Messaging

/in /by

Due to the speed and convenience of texting, many physicians use this form of communication to consult with other providers, exchange lab test results, and other patient information. If text messaging is used to transmit or receive electronic protected health information (EPHI), it must be evaluated as part of the covered entity’s Security Risk Analysis. As with all transmissions of EPHI, safeguards must be in place to ensure the integrity and confidentiality of the data.

There are several secure messaging vendors in the marketplace that offer encrypted mobile applications that will secure messages sent to the provider’s phone, responses sent back, as well as data at rest. Data that is properly encrypted is considered “secure” by Security Rule standards.  This means that the data has been rendered unusable, unreadable or indecipherable to unauthorized persons or entities.

In addition to the threat of malware or interception of text messages, the risks posed by the theft or loss of a smartphone must also be considered.  If the EPHI stored on the device is not properly secured, the theft or loss could result in a privacy breach that would not only require notification of affected patients and the Department of Health and Human Services, but also the media if the breach were large enough.

All text messages containing EPHI, whether encrypted or not, should be managed with the following minimum safeguards:

  • Information that individually identifies a patient or a patient’s specific condition should be limited to the minimum necessary.
  • Immediate reporting of a lost or stolen device must be encouraged so that actions can be taken to secure the device remotely, and/or to provide notice to patients if the EPHI was unsecured.
  • Any EPHI that is received via text, that is used to inform a decision regarding a patient’s care, must be annotated in the patient’s medical record.
  • Text messages should be deleted on a regular basis in order to limit the amount of information stored on a device. If the information is no longer needed, storing it only increases the risk of a large privacy breach, etc.
  • A Business Associate Agreement is necessary with any vendor that stores text messages (containing EPHI), such as wireless carriers or telecommunication vendors.

The covered entity’s Security Officer should maintain a list of all mobile devices that are used to send/receive text messages containing patient information so that he/she can ensure that the information is properly removed from the devices prior to re-use, donation or disposal.

Meaningful Use and Security Risk Analysis

/in /by

Now that the final rule for 2015 meaningful use has been released, we have received some questions as to whether there are changes that will need to be made to our Security Risk Analysis template. The final rule was released on October 16, 2015, and changed the Medicare and Medicaid EHR Incentive Programs reporting period in 2015 to a 90-day period aligned with the calendar year.

The good news is that the final rule did not include any modifications to Security Rule requirements, and therefore does not necessitate any changes to our 2015 Security Risk Analysis template. If you have already completed a Security Risk Analysis during 2015, and used our template, you will NOT need to re-do it, or change anything.

The rule specifies that you may select any 90-day period in the calendar year as a measurement period, and that your Security Risk Analysis must be completed during the same calendar year, and before you submit your attestation. So, even if you conducted your Security Risk Analysis outside of your 90-day measurement period, that is fine, as long as it took place during 2015, and was completed prior to submitting your attestation.

HIPAA Compliance System Subscribers

Security Risk Analysis – The 2015 Security Risk Analysis template is available in the Member Services area of our website. Simply log in to locate the document on the HIPAA Compliance System materials page, and then save the template to your hard drive to enable saving your entries. Explanations, instruction and HIPAA Compliance Manual references are provided for each item to be addressed within the risk analysis.

Risk Analysis Assistance – If you would prefer that Eagle Associates complete your risk analysis with you, you may call to schedule a phone conference with one of our consultants. During the call, our consultant will collect information about the security measures that are in place in your practice, make note of these in the risk analysis document, and identify any corrective actions that are needed to comply with Security Rule requirements. The fee for this service is $350. (Note that an active subscription to the HIPAA Compliance System is required.)