General Department Policies & Procedures

Similar documents
Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

HIPAA Privacy Overview

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

HIPAA Information Security Overview

HIPAA Awareness Training

ACKNOWLEDGMENT OF RECEIPT OF NOTICE OF PRIVACY PRACTICES

HIPAA Self-Study Module Patient Privacy at Unity Health Care, Inc HIPAA Hotline

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

Basic Guide to SMS Marketing 1 2 way SMS is only available in some countries. Contact us to see if your country is supported.

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

Healthcare Compliance Solutions

Pennsylvania Department of Public Welfare. Bureau of Information Systems OBSOLETE. Secure User Guide. Version 1.0.

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Department of Alcohol & Drug Programs. Information Management Services Division (IMSD) ENCRYPTION INSTRUCTIONS

HIPAA 101: Privacy and Security Basics

Protecting Patient Privacy It s Everyone s Responsibility

Mobile Health Apps 101: A Primer for Consumers. myphr.com

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics

ACRONYMS: HIPAA: Health Insurance Portability and Accountability Act PHI: Protected Health Information

Metropolitan Living, LLC 151 W. Burnsville Parkway, Suite 101 Burnsville, MN Ph: (952) Fax: (651)

HIPAA Privacy and Security

SMS and Texting - A Guide to the Future

APPROVED BY: DATE: NUMBER: PAGE: 1 of 9

Managing Privacy and Security Challenges of Patient EHR Portals

HIPAA Privacy & Security Training for Clinicians

WEBSITE PRIVACY POLICY. Last modified 10/20/11

Creating a Google Voice Account:

HIPAA Compliance Annual Mandatory Education

AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE

HIPAA Privacy for Caregivers

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

SchoolConnects Best Practices. Guide to Sending SMS Text Messages

EJGH Encryption User Tip Sheet of 8

SMS MARKETING BLUEPRINT

UC Irvine Health Secure Mail Message Center

USES AND DISCLOSURES OF HEALTH INFORMATION

Protected Health Information. Notice Information. Notice of Privacy Practices. Nystrom & Associates, Ltd Family Support Services, Inc.

HIPAA Compliance for Students

Donna S. Sheperis, PhD, LPC, NCC, CCMHC, ACS Sue Sadik, PhD, LPC, NCC, BC-HSP Carl Sheperis, PhD, LPC, NCC, MAC, ACS

Health Insurance Portability and Accountability Act (HIPAA)

BBVA Wallet Application Privacy Policy

My Docs Online HIPAA Compliance

Visa Inc. HIPAA Privacy and Security Policies and Procedures

Electronic Communication In Your Practice. How To Use & Mobile Devices While Maintaining Compliance & Security

SCDA and SCDA Member Benefits Group

NOTICE OF HEALTH INFORMATION PRIVACY PRACTICES (HIPAA)

How to Increase Your Marketing Recovery Rate

Everett School Employee Benefit Trust. Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law

HIPAA PRIVACY AND SECURITY AWARENESS

HIPAA And Public Health. March 2006 Delaware s Division of Public Health 1

Secure - Customer User Guide How to receive an encrypted

NWFSC Alert Frequently Asked Questions (scroll down)

HIPAA Privacy Policies & Procedures

Vocera Communications: HIPAA Data Security and Privacy Standards for Voice Communications Over a Wireless LAN

Notice of Privacy Practices

FEDERAL AND STATE BREACH NOTIFICATION LAWS FOR CALIFORNIA

IDT Financial Services Limited. Prime Card Privacy Policy

The George Washington University Hospital

HIPAA Policy, Protection, and Pitfalls ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS

Opt It Get Started Guide

HIPAA Training for Hospice Staff and Volunteers

Five Rivers Medical Center, Inc Medical Center Drive Pocahontas, AR Notification of Security Breach Policy

3 Financial, Administrative and Physical Resources

HIPAA Notice of Privacy Practices

How To Write A Community Based Care Coordination Program Agreement

An Oracle White Paper December Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance

Medical Privacy Version Standard. Business Associate Agreement. 1. Definitions

HIPAA PRIVACY FOR EMPLOYERS A Comprehensive Introduction. HIPAA Privacy Regulations-General

Transcription:

General Department Policies & Procedures Title SMS Text Messaging Policy Document Code No. Department/Issuing Agency Public Health Seattle & King County Approved Effective Date. August 23, 2013 DPH Director 1.0 SUBJECT TITLE: SMS Text Messaging Policy 1.1 EFFECTIVE DATE: August 23, 2013 1.2 TYPE OF ACTION: Provides guidance on text messaging and includes an option to request an exception to the Encryption Policy 1.3 KEY WORDS: SMS, Short Message Service, Texting, Text Messaging, Protected Health Information (PHI) 2.0 PURPOSE: The purpose of this policy is to establish guidance on short message service (SMS) text messaging by members of the Public Health Seattle & King County (PHSKC) workforce, and addresses security risks and procedural issues presented by SMS text messaging. 3.0 ORGANIZATIONS AFFECTED: Applicable to all divisions and programs within Public Health Seattle & King County 4.0 REFERENCES: 4.1 45 CFR 160 and 164 HIPAA Privacy and Security 4.2 DPH INF 1-7 Encryption and Decryption Policy 5.0 DEFINITIONS: 5.1 SMS (Short Message Service or Text Messaging): The sending of 160 character messages over a cell phone or through a web-based interface to one or more cellphone recipients. 5.2 Short codes (numbers): Five or six digit special telephone numbers used for sending SMS messages.

Effective Date: August 23, 2013 2 of 7 5.3 Protected Health Information (PHI): Individually identifiable health information in any form whether oral, written or electronic. Individually identifiable health information refers to information that: Relates to the individual s past, present or future physical or mental health or condition; the provision of health care to the individual; or the past, present, or future payment for the provision of health care to the individual. Identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. 5.4 Public : Individuals who can opt in to receive general educational health promotion and prevention messages. 5.5 Client : A member of the public who presents for health care (mental or physical) including minors and adults receiving health care, social services, dental services and other health care services from Public Health care sites and/or programs. Clients include deceased persons who have received care. 5.6 SMS vendor : A company that provides a web-based interface to store contact lists and manage the flow of messages from the sender to the cellular phone carriers. 6.0 POLICIES: GENERAL REQUIREMENTS FOR ALL TYPES OF TEXT MESSAGES: 6.1 Consult and inform Public Health Seattle & King County s Communications Team prior to launching a texting program. Texting for public health purposes is a relatively new form of communication. The Communications Team will provide logistical assistance and messaging guidance and support. 6.2 Administrative Safeguards: 6.2.1 Consent: Do not text clients or the public without their consent. Consent consists of signing a consent form, opting in using a website or short code. Written opt in forms should be stored in accordance with medical record and record retention requirements. Include the following information for consent: 1) Statement of potential costs of text messaging; 2) Request individuals provide updated phone number to Public Health program staff in case a cell phone number changes where appropriate; and 3) Information on how to opt-out of receiving text messages. If using a short code, clients and the public must be told they can opt-out of a texting program

Effective Date: August 23, 2013 3 of 7 at any time by texting stop or unsubscribe to the five or six digit short code. Opt-out information should be sent to clients and the public periodically to remind them how to unsubscribe. See Appendix 10.1 for example of opt-in form. Regularly confirm that client contact information is accurate and up to date. 6.3 Physical Safeguards: 6.3.1 Security: Text messages must be sent from a county owned cell phone (including smart phones), other mobile device, or approved computer application. If using a mobile device to send text messages, password protect the phone. Assure that the cell phone number of the client is recorded correctly. Assure mobile device used to send text messages is secure at all times, including after work and at home. 6.3.2 Storing and destroying messages: Identify a clear plan for removing text messages from county phones or webbased interface systems. Delete text messages after communication is completed and necessary information is recorded. All text messages sent or received will be documented and stored in accordance with medical record and record retention requirements. 6.4 Technical Safeguards 6.4.1 Vendor: When using a third party vendor to send text messages, consult with KCIT PH first to assure an appropriate system is selected and security controls are thoroughly evaluated. 6.5 Message content: 6.5.1 SMS text messages must not contain protected health information (PHI) unless an exception to the Encryption and Decryption Policy has been fully approved. See Appendix 10.2 SMS Text Messaging Policy Exception Request Form to request an exception. 6.5.2 Do not store first and last names in the address book of the cell phone used for sending text messages. Instead, store first name plus last initial. 6.5.3 Limit or exclude, where possible, client identifiers when sending a text message. Never use first and last name in a text message.

Effective Date: August 23, 2013 4 of 7 6.5.4 Examples of permissible content: Sample text messages permissible without requiring an SMS Text Messaging Exception: - John, Remember your goal to eat breakfast every day? Grab an apple on your way out this morning. Check www.kingcounty.gov/health for more information. - Keep our community protected against the flu. Get your child and family members vaccinated this year. For more info. see www.kingcounty.gov/health Examples of content that may be sent to clients so long as the content does not denote a specific health service or condition: - Sender name - Sender county phone number - Statement that identifies the sender is from Public Health - Request for the client to call sender - Appointment address - Clinic name if facility name does not denote a specific health service or condition. Examples: - Public Health or Public Health Center - TB Clinic or STD Clinic is not acceptable to include in a message without prior approval (using the Text Messaging Policy Exception Request Form) because the name of the clinic indicates the type of health condition a client might have. - Client s appointment time - Client s first name or client initials - Individualized health promotion information (as long as a specific health condition is not included or cannot be inferred) Any messages that include a phone number or address require additional review because phone numbers or addresses could reveal information about a health condition or type of service. For example, the messages below may be acceptable depending on the specific phone number included in the message. - Hi John, this is Jane Doe at the Public Health clinic. Your appointment is tomorrow at 3 p.m. Call me at XXX-XXX-XXXX if you need to reschedule. - John, I am with the Harborview Clinic and I have information for you regarding an urgent health matter. Please call me at XXX-XXX- XXXX. - Hi John, it s Jane Doe from the Harborview clinic. Don t forget to take your medicine today! Call me at XXX-XXX-XXXX if you have any questions.

Effective Date: August 23, 2013 5 of 7 6.5.5 Handling client generated messages that include PHI: If a client responds to a text message with information that contains PHI, such as a description of their medical condition, do not respond to the original text. Instead, send a new text message that requests the patient call you. Examples: I can tell you more when you call. Please call me at XXX-XXXX. The info I have for you is confidential. I can tell you more if you call. Please call me at XXX-XXXX. If a client does not call you, use your best judgment in responding. For example, if a client texts you with a description of a condition that requires follow up with a health care provider, do not include PHI in your response. If circumstances necessitate inclusion of PHI, follow up with Compliance after the fact. 6.6 Text messaging best practices: 6.6.1 Tone: Be aware of the tone of your text. It is difficult to discern tone in text messages. Be professional at all times. Do not use abbreviations; for example, 411 for information or CM for call me. 6.6.2 Cost: Be aware that some people do not have an unlimited texting plan with their cell phone carriers and may be charged for messages. If a message is over 160 characters, the message will be split into two messages. Text messages are for short, concise communication so be judicious in the length of the text message and the number of text messages you send. 6.6.3 Text messaging is a rapid means of communication. The public expects timely responses. Set up clear expectations with clients and the public about two-way communication including whether you will return messages, and how rapidly. 7.0 TEXTING PROTECTED HEALTH INFORMATION An exception to the Encryption and Decryption Policy Sending protected health information (PHI) via text message requires an exception to the Encryption and Decryption Policy. See Appendix 10.2 SMS Text Messaging Policy Exception Request Form to request an exception. 8.0 PROCEDURES:

Effective Date: August 23, 2013 6 of 7 Action: Business Standards and Accountability 8.1 Review exception requests submitted using SMS Text Messaging Policy Exception request form to determine risks of granting exception. 8.2 Forward SMS Text Messaging Policy Exception request forms to appropriate PHSKC management for approval. 8.3 Document text messaging exceptions to the Encryption and Decryption Policy by Public Health programs. Communications Team Action: 8.4 Provide guidance to program staff using text messaging for public health and clinical purposes. 8.5 Document uses of text messaging by Public Health Seattle & King County programs. 8.6 Collaborate with programs to vet program needs for text messaging and consult if necessary with BSA to determine whether an SMS text messaging exception form should be submitted. 8.7 Update texting policy as technology and evidence surrounding SMS text messaging for clinical and public health purposes becomes available. Action: Public Health Workforce 8.8 Refer to policy above to comply with SMS text messaging guidance. 8.9 Request an exception, if proposing to text protected health information, by completing SMS Text Messaging Policy Exception request form and submitting. Department Director or Designee 8.10 Provide approvals or disapprovals of SMS Text Messaging Policy Exception Requests. 9.0 RESPONSIBILITIES: 9.1 Business Standards and Accountability is responsible for documenting SMS text messaging exceptions throughout Public Health Seattle & King County.

Effective Date: August 23, 2013 7 of 7 9.2 Supervisors and managers are responsible for ensuring public health workforce follows text messaging best practices and policies. 9.3 The Communications Team is responsible for providing guidance to programs on text messaging best practices. 9.4 The Department Director or Designee is responsible for approval of SMS Text Messaging Policy Exceptions. 10.0 APPENDICES: 10.1 Text Message Opt-In form 10.2 SMS Text Messaging Policy Exception Request Form (Includes Appendix A)

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information