VHCA Legal Quarterly

Transcription

1 VHCA Legal Quarterly Winter 2015 Text Messaging in Nursing Facility Patient Care: HIPAA Challenges, Survey Scrutiny, and Possible Solutions Written by Nathan Mortier and Peter Mellette Mellette, PC Williamsburg, VA I. Introduction Text messaging has rapidly become the preferred method of communication for mobile device users in many health care organizations. Text messaging is often preferred as an efficient replacement for pages and phone calls, with instantaneous communication permitting health care professionals to attend to multiple patients at once. Arguably, the benefits of text messaging between health care providers may also improve patient outcomes by providing clear, written instructions between physicians and patient care staff, resulting in faster response times and fewer communication errors. These benefits may be more pronounced in long-term care than in other health care settings (such as acute care hospitals) due to the increased need for remote communications resulting from the limited availability of physicians on site. Text messaging is a broad term that initially referred to the use of the Short Message Service (SMS) used over cellular networks. Currently, the term encompasses any communication service or application that permits the sending of electronic written messages between two or more mobile devices. Following the adoption and proliferation of smartphones, many competing instant messaging services are now in wide use around the world. 1 Notably, estimates in 2014 predicted that instant messaging services on mobile phones (including WhatsApp, imessage, and similar services) would carry twice the volume of messages sent via traditional SMS. 2 Nursing facility providers may have overlooked how text messaging by staff complies with the security and privacy requirements of HIPAA and the HITECH Act (referred to collectively as HIPAA ). Specifically, many health care providers have not developed policies that recognize that text messages, in some cases serving as a convenient replacement for pages and phone calls, create electronic records of the content of conversations while pages and phone calls do not. In fact, to the extent that text messages contain individually identifiable patient information, text messages create electronic protected health information (ephi) that is stored as electronic media on the smartphone. 3 Providers may incorrectly view sending a text as analogous to a quick phone conversation or a discreet hallway chat regarding patient orders or a patient s status. Indeed, even a simple text message, if it includes PHI, is subject to the same privacy and security standards as the full electronic health records (EHR) maintained on hospital and health care organizations servers. Virginia Health Care Association 2112 W. Laburnum Avenue, Suite 206 Richmond, Virginia

2 Winter 2015 Page 2 II. Requirements of HIPAA and HITECH HIPAA requires that all health care providers maintain the confidentiality, integrity, and availability of all ephi a covered entity creates, receives, maintains, or transmits. 4 Providers must ensure that ephi is not available or disclosed to unauthorized individuals, is not unintentionally altered or destroyed, and is accessible and usable on demand to individuals authorized to view the ephi. 5 The HIPAA privacy rule limits disclosure of ephi only to authorized individuals and entities and enumerates the reasons for which PHI or ephi may be disclosed. 6 The HIPAA security rule requires PHI or ephi to be protected from any threats to access and potential disclosure to unauthorized persons. The security rule also requires providers to have a plan of action if such a disclosure occurs. 7 For ephi, these security standards typically require, among other steps, encrypting all ephi, storing ephi on a secure network, authenticating receivers of information, and implementing protocols for destruction or permitted alteration of ephi. In turn, if any of these safeguards fail and a breach in information occurs, HITECH requires that covered entities and business associates report any breach of ephi to the Office of Civil Rights. Unfortunately, it is difficult to see how SMS or text messaging of ephi can meet the requirements of the HIPAA security rule for health care organizations. Traditional SMS messages are not encrypted, texts may stay on a telecommunication's provider's server for indefinite periods of time, and there is no way to authenticate the recipient. Other services, such as imessage, may assure users of encryption between devices, but still present many of the same weaknesses as traditional SMS. For example, text messages do not provide the same opportunity for voice identification between health care providers, and there is concern that a family member or other person with access to a health care provider s mobile device could view or reply to a message instead of the intended recipient. Although mobile devices have come a long way with the addition of more robust security settings, consistency in mobile device security is difficult when most users can change their settings to be more convenient and less secure. Even if a health care provider conducts an appropriate risk analysis and determines that adequate security measures can be consistently implemented and adequately supervised, it is doubtful that most popular text messaging services can adequately preserve the availability of the ephi that is transmitted. For example, following a detailed message from a nurse about the condition of a patient, a doctor may issue an order via a reply message. In what may be a brief exchange, the nurse s message and the doctor s texted reply have become ephi. Because the recorded conversation is now ephi, it is now required to be made available in the patient s medical record. But how is this accomplished? Unless the text messaging application integrates with an EMR system and associates the exchange with the correct patient record, preserving future access to the texting record seems next to impossible. Text messaging services offer little protection from the most significant present danger to the privacy and security of text-messaged health information: the unintended recipient. Most mobile device users will acknowledge sending a text message to the wrong person at least once. Unfortunately, text messaging a patient s health information to the wrong person carries consequences beyond a text to the wrong person about weekend plans. In addition to the likelihood of an unintended recipient viewing the PHI, information could also be viewed by or forwarded to others. Text messaging ephi to unintended recipients likely constitutes a HIPAA breach. HITECH defines a breach as any "unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information. 8 Notably, the latest rules presume that any unauthorized disclosure is a breach and requires reporting to the HHS Office of Civil Rights unless there is a documented low probability that the PHI was compromised. The OCR rules direct providers to consider a number of factors in making that determination, including the nature and extent of the PHI involved, whether the PHI was actually viewed, the identity of the unintended recipient or recipients, whether the recipient or recipients have provided assurances that the information has been destroyed, and whether the risk to the PHI has been mitigated. Concern over text messaging within health care organizations has been growing. Although Joint Commission Accreditation is rare in long-term care providers, the Joint Commission s standard on texting of physician orders in 2011 is notable for its brevity. In response to a FAQ on whether it is acceptable under the Joint Commission standards to text patient orders, the Joint Commission determined:

3 Winter 2015 Page 3 No it is not acceptable for physicians or licensed independent practitioners to text orders for patients to the hospital or other health care setting. This method provides no ability to verify the identity of the person sending the text and there is no way to keep the original message as validation of what is entered into the medical record. 9 Regardless of accreditation status, the Joint Commission s position is an effective summary of some of the primary challenges specific to texted physician orders. III. Survey Considerations In addition to the civil remedies available for HIPAA compliance lapses by all health care providers, nursing facilities should be concerned with possible survey citations for privacy issues related to texting. A May 2014 survey and later CMSimposed remedy against a nursing facility in North Carolina provides a cautionary note. 10 In that case, nursing facility nurses texted patient information to physicians or physician assistants for several residents. The physician or physician assistants had allegedly requested to be texted the information and there were no allegations that the information went to the wrong person or that any unauthorized person saw the resident s information. The texting did, however violate a facility policy that prohibited transmitting confidential information via mobile devices. The facility received an E level deficiency (no actual harm but potential for more than minimal harm) under FTag 164. That tag does not mention HIPAA, but only recites the standard that each facility keep each resident s personal and medical records private and confidential. 11 The case is particularly notable because CMS Region IV reportedly imposed a 10-point directed plan of correction that required the facility to, among other actions, hire an outside independent contractor to train staff and management, revise HIPAA policies and procedures, designate a HIPAA compliance officer, and notify all residents and families of the alleged HIPAA violation and the steps being taken to remedy it. 12 Remarkably, while many of the required actions are already required under HIPAA (such as the development of policies and procedures and designation of a compliance officer), some of the actions required in the directed plan of correction extended beyond HIPAA s requirements (such as the notification of all residents and families). It remains unclear if this example of aggressive enforcement of privacy rules in CMS Region IV will become more frequent or will expand to other CMS regions. However, nursing facilities should expect survey teams to look at privacy issues more closely, particularly as HIPAA breaches remain in the news and federal enforcement efforts ramp up. IV. Solutions Given the HIPAA concerns of traditional SMS or other popular text messaging services, nursing facilities should first determine the extent to which text messaging may be in use within their organizations. Following assessment of current practices, nursing facilities should then develop appropriate policies, procedures, and training to prevent inappropriate uses of text messaging services. Although traditional SMS and popular text messaging services are unlikely to meet the privacy or security requirements of a health care organization as identified in a HIPAA risk analysis, there are other options available that may provide the benefits of text messaging in a HIPAA compliant manner. HIPAA compliant s of ephi have been made possible by using programs that provide for secure attachments and require the recipient to sign in with a password before viewing sensitive information. Third party texting services, similar to what is used for , now exist and can help providers ensure compliance with the HIPAA security rule. While development of such applications is still relatively young, some secure messaging platforms exist to address many HIPAA concerns, including recipient authentication, a limited address book, remote text deletion, notification when a text is delivered/read, encryption of texts, and secured attachments of pictures, charts, and even voice notes. Some third party texting platforms permit the user to control the lifespan of a message so that the message automatically deletes itself from a mobile device within a certain time period while messages are stored long term on a secure server. Most importantly, a few secure texting apps allow nursing facilities to integrate their EHRs with the secure texting program, permitting users both to attach information from the EHR to their messages and to add information to the EHR based on their text conversations. Nursing facilities that choose to consider a secure texting platform should keep in mind the three requirements for securing PHI: confidentiality, integrity, and availability. Any platform chosen must be carefully designed to satisfy all three elements.

4 Winter 2015 Page 4 Some nursing facilities may not wish to invest in the servers, network infrastructure, or costs to implement a commercial text messaging service that meets HIPAA s stringent requirements. Such facilities could, however, be creative in obtaining some of the clinical benefits of text messaging without running afoul of HIPAA s rules. Facilities may wish to implement policies and staff training that permit limited uses of text messaging that do not include PHI or other confidential information (such as quality assurance and performance improvement communications). For example, a nursing facility may develop a protocol in conjunction with its attending physicians for nurses to text requests for physicians to call them back within a specific timeframe, depending on the urgency of the matter. Such a protocol would be quicker for nurses and would provide an attending physician with a clear expectation of how soon communication is needed. V. Conclusion Health care is a team effort that requires timely and sophisticated communication between team members. Although health care providers have been innovative in incorporating text messaging into clinical communication, now is the time for nursing facilities to step back and determine if patient information is being handled in text messages and whether current practices comply with HIPAA requirements. Long-term care organizations that have not yet seen use of text messaging within their organizations should consider drafting and implementing policies now to prevent future privacy concerns. In addition to training staff and ongoing efforts to ensure compliance with texting policies, long-term care organizations should work closely with outside physicians and other health care providers to ensure that expectations for appropriate text messaging are explained and understood by the entire health care team. This article is for general educational purposes only. It is not intended to provide legal advice specific to any situation you may have. Individuals desiring legal advice should consult legal counsel for up-to-date and fact-specific advice. 1 While technology and trends are always changing, current popular messaging services include WhatsApp and Facebook Messenger. Apple s messaging platform, imessage, is included with the popular iphone and has largely seamlessly replaced text messaging between iphone users. 2 Deloitte, Short Messaging Services Versus Instant Messaging: Value Versus Volume, 2014 (available at telecommunications/deloitte-au-tmt-short-messaging-services-versus-instant-messaging pdf) (Accessed Mar. 5, 2015) C.F.R C.F.R C.F.R C.F.R C.F.R (a)(1) U.S.C (1)(A). 9 Joint Commission, Standards FAQ: Texting Orders, November 10, StandardsFAQId=401&StandardsFAQChapterId=79 (accessed Mar. 2, 2015). 10 CMS-2567, Woodlands Nursing & Rehabilitation Center (Fayetteville, NC), Survey Completed May 8, See 42 C.F.R (e). 12 Kenneth L. Burgess, Nursing Facility Survey Trends: Directed Plans of Correction, Privacy Violations and FTag 520 Quality Assurance Committee Citations, Poyner Spruill, July 24, 2014, available at (accessed Mar. 5, 2015).

5 Winter 2015 Page 5 ABOUT THE AUTHORS Nathan Mortier Peter Mellette Mellette PC In his statewide law practice, Nathan Mortier represents health care clients, including nursing facilities, physicians, and other licensed facilities and practitioners by offering daily counsel on regulatory compliance, contracts and operational issues, licensure and certification, investigations, COPNs, and professional board disciplinary actions. Mr. Mortier received his law degree from the College of William & Mary. Additional information about his firm, Mellette PC, is available at Peter Mellette has represented health care providers, including medical facilities and practitioners, for over 25 years. As the founding shareholder and principal of the law firm Mellette, PC, he offers daily counsel to health care clients on regulatory compliance, third party payment, capital project development and financing, contracts, transactions and a variety of operational issues affecting provider services. He is a regular contributor of articles on legal issues relating to reimbursement, peer review, and long-term care. He has five published law review articles on health care law and administrative law issues and dozens of other publications to his credit. Mr. Mellette participates in a variety of community and bar activities, including recent service as chairman of the Virginia State Bar Clients Protection Fund Board. His past service includes chairmanship of a local hospice board, chairman of a local adult literacy board (Literacy for Life) and membership on the Virginia Law Foundation Committee on Continuing Legal Education, and Richmond Bar Association committees. He currently serves on the Williamsburg Regional Library Foundation Board, the Hospice House and Support Care of Williamsburg Advisory Council, the Literacy for Life Advisory Council, the Rotary Club of Williamsburg Board, and is active with his local church. Mr. Mellette was graduated from Dartmouth College with an A.B. in Policy Studies (health care focus) and from the T.C. Williams School of Law at the University of Richmond with his J.D. He lives in Williamsburg with his wife, Kerry, and has two grown daughters.