Editor’s Note: According to a HIMSS Mobile Technology Survey of healthcare provider employees, about 90% say they are using mobile devices to engage patients in their healthcare—and 36% believe app-enabled patient portals are the most effective patient engagement tool. A Spyglass Consulting Report reveals that an astounding 96% of physicians use text messaging for patient care coordination—and 30% say they’ve received protected health information (PHI) via text.
Clearly new technologies are transforming healthcare. In a recent webinar, Manatt Health examined how to benefit from these powerful new tools while analyzing the risks under the Health Insurance Portability and Accountability Act (HIPAA). In the first of a two-part series, Manatt summarizes below key insights shared on the enforcement landscape, HIPAA rules and best practices around six technologies—portals, email, bring your own device (BYOD), texting, mobile apps and the Internet of Things (IoT). Click here to view the full webinar free on demand—and here to download a free copy of the presentation.
The Enforcement Landscape and the Trump Administration
Cybersecurity is a high priority across the Trump administration. In April, the Department of Health and Human Services (HHS) announced that it will establish a cyberthreat nerve center, modeled after Homeland Security’s National Cybersecurity and Communications Integration Center, to assess cyberthreats and share best practices. This move reflects the acknowledgment that healthcare is a critical part of our infrastructure with national security implications.
The new director for the HHS Office of Civil Rights (OCR), Roger Severino, has declared that his office’s enforcement actions will adapt to new data security threats, including those raised by ransomware, interoperability and mobile apps. The OCR audits—which began Phase 1 in 2011—position OCR for stricter enforcement. Phase 1 uncovered a number of weaknesses threatening HIPAA compliance across key areas, including risk analysis and management, content and timeliness of breach notifications, notices of privacy practices, individual access, privacy standards, device/media controls, training and transition security.
The OCR now has begun Phase 2 audits. Added focus areas include an inventory of devices and other information system (IS) assets; evidence of IS audit logs, access reports and security incidence tracking; and an inventory of business associates.
The OCR’s enforcement tools include civil monetary penalties and the requirement to establish a corrective action plan. Penalties can range from a minimum of $100 (when there is no knowledge of the violation) up to a maximum of $50,000 per violation, capped at $1.5 million annually for each identical violation.
The OCR can use statistical sampling to establish a prima facie case for the number of violations. It also can consider several aggravating or mitigating factors in its calculations, including the number of people affected, the length of time during which the violation occurred, the nature of the harm, the history of prior compliance, and the size of the covered entity or business associate.
Why Is Health the Target of Cyberattacks?
The nature of PHI makes health a prime target for cyberattacks. PHI contains immutable identifiers—such as birth dates and Social Security numbers. Consequently, PHI has higher value on the black market than, for example, credit card information.
To compound the problem, the healthcare industry has invested less in cybersecurity than other sectors have, making it a prime target. In 2015, records of about 100,000 patients were compromised by cyberattacks against healthcare organizations. In May 2017, a ransomware attack infected tens of thousands of computers in 100 countries. The threat to patient safety makes providers particularly vulnerable to ransomware attacks.
Defining the Terms
In discussing HIPAA compliance in relation to new technologies, it’s important to understand the terms:
- PHI is defined under HIPAA as any individually identifiable health information that is transmitted or maintained in any form or medium by a covered entity. PHI includes limited data sets (a set of information that includes certain identifiers). It does not include de-identified information (information from which identifying information has been removed and which cannot be re-identified).
- Covered entities include healthcare providers, health plans and healthcare clearinghouses.
- Business associates are individuals or entities that create, receive, maintain or transmit PHI on behalf of a covered entity for functions under the HIPAA Rule or that provide certain types of services to a covered entity.
Tech vendors generally are considered business associates. There is, however, an exception for tech vendors that serve solely as conduits for PHI and only have transient access to the protected information, such as broadband providers or cellular carriers.
Whether mobile app developers are business associates depends on the services they provide. If they are creating, receiving, maintaining or transmitting PHI, they would be considered business associates. If there is uncertainty, it’s better to err on the side of caution and assume a mobile app developer that touches PHI is a business associate.
Understanding the Security Rule
The HIPAA Privacy Rule contains requirements regarding paper and electronic PHI (ePHI), while the Security Rule addresses only ePHI. The Security Rule requires covered entities to establish three types of safeguards to protect ePHI:
- Administrative safeguards are administrative actions, policies and procedures that are designed to manage a covered entity’s implementation of security measures. For example, one standard under the administrative safeguard category requires covered entities to establish security management processes to prevent, detect and correct security violations.
- Physical safeguards are physical measures to protect covered entities’ ePHI, such as restricting workstation access to authorized individuals and controlling the introduction or removal of hardware and software to ensure there are no breaches.
- Technical safeguards address the technology processes that covered entities must implement to protect ePHI. Technical safeguards include access control, such as establishing a unique ID for each user. They also cover integrity provisions that are designed to ensure that ePHI is protected from improper alteration or destruction.
Implementation specifications can be required or addressable. A covered entity must implement required specifications. In contrast, the covered entity can determine what is reasonable in the context of its operations to implement an addressable standard. If a covered entity determines not to implement an addressable specification, it must document the reasons for its decision and, if appropriate, implement an equivalent alternative measure.
In addition to requiring the three categories of safeguards, the Security Rule also imposes certain organizational requirements. Covered entities must (1) have reasonable and appropriate policies and procedures in place to comply with the Security Rule; (2) maintain a written record of any actions, activities or assessments required by the Security Rule; (3) have business associate agreements in place; and (4) retain all documentation for at least six years.
HIPAA’s Breach Notification Rule
A breach is defined as the acquisition, access, use or disclosure of PHI in a way that is not permitted by the Privacy Rule and that compromises the PHI’s privacy or security. The OCR, which oversees HIPAA, presumes that any loss of unencrypted data is a reportable breach. Therefore, all covered entities must have breach identification policies in place that require reporting any breach within a reasonable time frame—certainly within 60 days of discovery. A breach is deemed to be “discovered” on the first day that it is known to the covered entity or would have been known by exercising reasonable diligence.
Any unauthorized use or disclosure of PHI is presumed to be a breach. The burden is on the covered entity to evaluate a potential breach and determine whether or not an actual breach has occurred.
Communication Technology Trade-offs
There are trade-offs between making it easy for providers and patients to use familiar channels to communicate, such as email and texting, and protecting ePHI from improper disclosure. Below are the advantages, disadvantages and risks six technologies present, with tips on how organizations can protect themselves.
Patient portals generally present the fewest HIPAA security concerns because most were built to comply with HIPAA and meaningful use requirements. They meet patient and physician demands, because they provide 24/7 access—although that access can be clunky. Through portals, providers can control the content that is shared with patients, as well as determine what is accessed and by whom in order to create full audit and access logs.
Portals also offer clear terms of service and privacy notices, as well as transparency around how providers will use the data. In addition, patients have to affirmatively consent to sign up and use the portal. Finally, portals factor in strong HIPAA safeguards through user authentication, including unique usernames and passwords.
Portals also have some disadvantages, however. Due to the authentication process requiring remembering another login and password, patients have been slow to adopt portals. In addition, portals can be costly and complex to implement, discouraging innovation. To ensure optimal use, it’s important to have clear policies in place around use of the portal.
Email offers major advantages. It is easy to adopt, can be uploaded to electronic health records (EHRs) and can be encrypted. Patients also can consent to receive unencrypted information. On the OCR’s “frequently asked questions” page for HIPAA, it clearly indicates that the Privacy Rule allows covered entities to communicate electronically, such as through email, with their patients provided they apply reasonable safeguards.
Email also presents some disadvantages and risks. It’s impossible to authenticate the user through a unique name or password or to verify that the email’s recipient is the person for whom it was intended. In addition, there are issues around transmission security. If encrypted email is utilized to address transmission security, then patients need to install a program to view encrypted emails, presenting a barrier to communication. Other risks include integrity control, given that email content (including the sender information) can be easily changed; servers residing outside the United States, where there may be limited information about HIPAA and other controls; and the potential for PHI-sensitive emails to appear on the Internet.
There are many steps organizations can take to protect themselves when using email to communicate with patients, including:
- Obtaining patient consent to communicate with them via email
- Developing a “light warning” disclosure of possible security risks as part of the patient consent
- Creating protocols and practices for communicating PHI via email
- Restricting the use of personal email by the care team
- Removing the patient’s name, initials or medical record number from the subject line
- Ensuring highly sensitive information, such as Social Security numbers, are never included in any part of an email
Bring Your Own Device (BYOD)
Employees are increasingly using their own devices at work. There are many advantages to this approach, including a high adoption rate, as people always have their phones with them; cost and time savings, since there is no need to educate people on how to use their own devices; and native technologies already on the phones that can be used for patient and provider communications.
There are several disadvantages, as well. Obviously, the less secure personal devices are, the greater an organization’s risk for PHI breaches. In addition, unless a mobile device management tool is installed on each phone, there is limited ability to enforce passwords or authentication; protect the devices; wipe the devices; or disable phones, if they are lost.
In considering implementing a BYOD approach, the first step is to evaluate and document the risks and benefits. Even if an organization decides to implement a BYOD policy, it may not make sense for all employees to participate. For example, organizations may want to require individuals with access to particularly sensitive and/or highly regulated information to use company-controlled devices for professional and patient communications. Other best practices include creating a detailed policy; incorporating the employer’s right to access, monitor and audit devices; ensuring staff is trained on the policy and documenting their signed agreement to comply with its terms; enforcing the use of strong passwords; installing mobile device management tools; and creating an off-boarding process to ensure the removal of any ePHI.
Texting is commonplace in many organizations—and drafting an official texting policy, permitting or not permitting it, is an essential part of a HIPAA compliance program. Texting offers many advantages, including increased patient engagement, easy adoption and faster response than email. It also provides greater access control, since people control access to their phones—and typically don’t text from any other devices. In addition, cyberthreats are difficult to execute with SMS texting.
As with all approaches, however, there are risks as well as benefits. Secure messaging apps require web-accessible devices or smartphones and may require usernames and passwords. There are also added HIPAA compliance responsibilities for tech vendors and downstream business associates. In addition, traditional SMS is not encrypted, and while cyberthreats are difficult to execute, when they do occur they’re hard to detect. Finally, full texts appear even on locked screens, opening up the potential for inadvertent disclosure.
When communicating through text, it is critical to obtain patient consent. In addition, it is important to document the information that was communicated via text in the patient’s medical record. Other best practices include evaluating the use of public messaging platforms; properly wiping mobile devices after they have been discontinued for work; and taking an inventory of all mobile devices used for texting PHI, whether provider or employee-owned.
Does the Office of the National Coordinator (ONC) for Health Information Technology say that organizations can use texting to communicate health information? The answer is that it depends. Text messages are generally not secure, and the sender does not know for certain that the intended recipient received the message. However, the ONC confirmed that organizations may approve texting after performing a risk analysis or implementing a third-party solution that incorporates measures to establish a secure communication platform.
Despite the risks, the ONC recognizes the value in texting. There’s a growing body of evidence that texting is an effective way to promote health, drive behavioral change, manage chronic diseases, encourage medication adherence, support prenatal care, and motivate weight loss and physical activity. Participants in text pilots report high user satisfaction and positive self-reported behavioral changes. Program managers find increased enrollment rates when participants are able to “opt in” immediately to a texting program.
In contrast, pilots show significantly lower rates of adoption when potential enrollees provided their contact information and consent in writing through a third party, who then entered the enrollment information and set up the texting capabilities. The time lag between setup and confirmation, the provision of incorrect or incomplete information by potential participants, and the lack of direct engagement in the enrollment process all led to the lower adoption rates.
When implementing texting, it is important to consider whether encrypted texting is reasonable for a given context and will increase patient engagement. If encryption won’t bring added benefits, unencrypted texting may be most appropriate.
Texting: Not Just a HIPAA Concern
There is overlapping jurisdiction with the Federal Communications Commission (FCC) when HIPAA-covered entities use SMS text messaging. A text message is treated like any other call made to a residential line or a cellular phone and brings an additional consumer protection into play—the Telephone Consumer Protection Act (TCPA). Even if a text’s content is permissible under HIPAA, the TCPA restricts the use of an automatic telephone dialing system to call a cellular phone number without the recipient’s prior express consent.
If a message is informational and noncommercial, individuals “who knowingly release their phone numbers have in effect given their invitation or permission to be called at the number which they have given, absent instruction to the contrary.” According to Hudson v. Shape Healthcare (9th Circuit), the call need not be made “for the exact purpose for which the number was provided,” as long as the call bears some relation to the product or service for which the number was given. It is important to be cautious, however, because there are a wide range of court decisions and findings.
Developing a Policy for Texting
Organizations that permit SMS texting must develop policies and procedures, both for texting with patients and for texting among professionals. Policies should include workforce training on the appropriate use of work-related texting, at a minimum, as part of compliance training programs to ensure there are annual reminders to clinicians. In addition, organizations should maintain device and media controls for mobile devices of professionals who create, receive or maintain text messages. Policies also should delineate permitted use cases, detailing when texting is permitted and placing limits on the types of PHI that can be shared via text.
All policies and procedures should encourage more secure alternatives for communicating highly sensitive information. If organizations have patient advisory councils, they should be part of the discussions around risks and benefits and participate in the policymaking process.
When developing a policy specific to patients, it’s important to include procedures for verifying phone numbers and authenticating identity; decide on the scope and form of consent (i.e., opt-in requirements); and disclose to patients that they will be receiving unsecured messages, as well as inform them about opt-out procedures. When designing policies for texting between professionals, consider using a HIPAA-secured platform to support care team collaboration, secure devices to allow native features but prevent photo storage, implement device controls, prohibit texting medical orders, and reinforce the need to document texts in medical charts.
Mobile apps offer a wealth of advantages. They provide user-centric solutions and optimize the use of native device technologies, such as cameras. In addition, cloud-based platforms provide access to state-of-the-art security and robust computing power. They also bring cost efficiencies through flexibility that allows covered entities to start with small pilots and scale up, as needed.
Apps also come with some disadvantages. As more technologies are introduced, there is a multiplier effect in the challenges of compliance management that also can affect downstream business associates. In addition, there is no one-size-fits-all approach to implementing security safeguards.
There are best practices to protect organizations communicating through mobile apps. It is critical to evaluate the technology environment in which the app is providing a service and perform an appropriate risk analysis. It also is essential to develop app-specific policies and procedures within the context of the risk framework, as well as within an organization’s broader governance framework. This process includes actively engaging the stakeholders who will be using the app, both to gather input and to provide training.
The Internet of Things (IoT)
The IoT offers significant benefits. Generally speaking, these are medical-grade devices subject to Food and Drug Administration (FDA) cybersecurity standards. They very often will be tied to making a clinically relevant decision, so it is crucial that they are secure and that there are appropriate policies and procedures in place. Organizations should be diligent in ensuring providers and vendors are adhering to all the safeguards in the Security Rule.
The IoT also presents undetected vulnerabilities and risks, particularly around device inventory and management, firmware patches and updates, and transmission security. In addition, there are challenges around the need to wipe ePHI between deployments.
As with all the new technologies, the best protection for an organization is to define clearly device management procedures. There should be satisfactory assurances that there is full compliance with the FDA’s Quality System Regulation.
Coming Next Month…
In next month’s “Health Update,” we will feature part 2 of our “HIPAA and Emerging Technologies” summary, focused on evaluating and contracting with vendors, as well as reviewing compliance strategies.