Late last year, anyone using the right search terms could have stumbled onto an open database containing valuable text messages that should have remained private — including appointment and billing information from several as-yet unnamed medical facilities.
The server, hosting at least 26 million texts, has since been taken offline. The dangers of texting, however, are here to stay.
Now in use in nearly all healthcare settings, text messaging has, in some ways, transformed patient care. It can allow instant communication between physicians in different buildings; capture clinical observations handily; and make rehab patients feel more involved in their care through direct messages.
But the speed and frequency of messages — and the way they are relayed — also leaves skilled nursing facilities and their residents vulnerable to security threats ranging from hackers to human error or malfeasance.
“We have all heard negative stories about texting at long-term care communities or the posting of inappropriate content on social media,” says Matt Mello, director of sales for CareWorx. “The fact is, mobile devices … and texting do have a place in senior care, as long as the facility takes the necessary steps through employee education, policies and procedures and mobile device management to prevent non-job-related usage.”
While social media posts get much of the press and attract high-dollar fines for HIPAA violations, inadvertently intercepted text messages or those including identifying information also draws the scrutiny of regulators.
“The OCR has really stepped up enforcement of all HIPAA-related violations,” notes Kimberly Gordy, associate at BakerHostetler. “Just because there’s not a fine doesn’t mean it’s not going to be a problem you have to report.”
How can long-term care providers balance the benefits of bedside smartphone use with the need to protect patient privacy and a facility’s own data?
“Ideally, the senior care facility should provide locked-down mobile devices to employees providing care and have those devices remain onsite when the employees go home,” Mello says. “Mobile device management can help control appropriate use of mobile devices and is critical in meeting compliance and security standards.”
Company-supplied phones give the system administrator the ability to freeze settings so users can’t text outside of an established circuit, says Jayne Warwick, PointClickCare’s director of market insights.
But the reality on the ground is that most facilities have a bring-your-own expectation, observes Doron Gutkind, chief software architect at LINTECH.
“The best practice then is a secure messaging platform gets installed on that phone … and all communication about your facility and your patients should be done through that platform,” he says.
That allows a work-around for some inherent risks of traditional SMS, which, according to John DiMaggio, CEO of BlueOrange Compliance, include: copies of data being stored on providers’ servers indefinitely; the ability of unencrypted, sensitive data to be compromised when a phone connects to public Wi-Fi, unauthorized views; and editing or forwarding of personal health information.
“As the need to integrate technology into an organization’s workflow increases, so do the stakes,” DiMaggio says.
Creating a record trail
Though HIPAA does not require providers to avoid texting, many skilled nursing facilities were cautious until the Centers for Medicare & Medicaid Services clarified its position on such messages in late 2017.
Providers can text patient information among members of a healthcare team, as long as it’s done by a secure platform. Patient orders, however, still must be recorded by hand or computerized provider entry.
Security threats aren’t the only texting-related concerns with which providers must grapple.
“There are plenty of products out there that are HIPAA-compliant,” says Amy McCracken, a Chicago-based healthcare attorney with Duane Morris. “That said, I still think (texting) is a bad idea. And it’s not because of cybersecurity. It’s because of the storage. Text messages are historically difficult to get into the patient’s record.”
The informal nature of texts may tempt even the best clinicians to shorten their notes, potentially omitting some parts of an observation that might be captured in a more structured interface, McCracken adds.
Until the transfer of texts containing medical information into EHRs is commonplace, providers will need to be cautious about ensuring details are retained in some way, she warns.
“Documentation is a delicate balance,” McCracken adds. “There’s a big saying in the legal field: ‘If it’s not documented, it didn’t happen.’”
A text that doesn’t make it into a resident’s chart will be viewed the same as a never-charted verbal conversation — a potential knock against a provider being accused of negligence.
Jody Harbour, product lead at American HealthTech, encourages providers to give employees enough time to transfer information into records, though his support staff can restore some chats if requested.
Text messages are considered electronically stored information and are now regularly subpoenaed, Warwick warns. Facilities should configure an automatic purge and write the frequency into policy to protect all involved.
“If the data is purged, and it is captured in policy, they can’t be used in court,” Warwick explains.
Here to stay
Even in facilities that don’t encourage texting to communicate, employees might still be carrying phones or tablets to take advantage of mobile medication-ordering, wound-tracking or EHR platforms. And that means they’re probably texting, too.
“It’s happening every day, no matter what the policy is. You see the phones ringing and lighting up in pants pockets,” Harbour says.
American HealthTech teamed with QliqSOFT to develop an in-app messaging tool as part of its Communication Center. On the system that rolled out October 1, users can send secure messages to fellow employees within the app, or generate SMS messages to external recipients (including relatives) that open up in a secure viewer.
While some secure-messaging platforms that run independently of clinical or financial software bill per user, American HealthTech’s, for example, can be used by anyone accessing its clients’ products.
Harbour said per-user limits can discourage facilities from giving all employees text capabilities, a situation non-included workers may remedy by using their personal text apps.
Medtelligent has worked with both SNFs and assisted living communities, which typically have more texting leeway as non-covered entities. General Counsel Trisha Cole says the company uses American HealthTech’s Center for its skilled nursing customers, but ALIS, its assisted living product, offers SMS services for 75 different events.
Gordy warns that the mix of standards for different senior care environments and the entry of non-healthcare specialists into the messaging field should give providers pause.
Ask if they’ve vetted their product with healthcare counsel, she advises, and verify that a business associate agreement will secure personal health information.
Other attorneys said that to prove due diligence, providers also should offer regular employee training on texting standards, use platforms that require two-factor identification, force automatic timed log-outs, and conduct audits for compliance.
LINTECH previously worked on software that would scan all employee messages instantaneously to check if they contained personal health information. Providers would be able to set rules, such sending an alert if secondary PHI is used or blocking the message from being sent if it includes primary identifying information. Gutkind still hopes to bring it to market.
Cole warns that employees may have to be notified of such surveillance ahead of time, per the Supreme Court’s ruling in City of Ontario, California v. Quon. McCracken also advises that employees allow data management software to be installed on personal devices as a hiring condition, enabling administrators to wipe patient information if it’s lost or the employee leaves.
Another option is limiting which employees have access to secure messaging and making all others store their devices while working.
Restrictions could reduce the odds of human error and lessen exposure to increasingly sophisticated schemes such as phishing and “spear phishing,” in which hackers try to gain access to protected systems by posing as a trusted sender (such as an administrator they know is away from the office).
In addition to focusing on quantity and security of messages, providers need to examine how they reflect quality of service.
“It’s always important to step back and put myself in someone else’s shoes and say, ‘If I read this about my mom, would I be OK with it?’” Gordy said.
Text messages that get aired in court — or in any public manner — can be damning if sent without the right level of sensitivity. Negative press related to a data leak or inappropriate text could be as bad, or worse, than an Office of Civil Rights fine.
“People spend sometimes hours looking for the best place to have Ramen noodles,” Gordy says. “It’s going to be tenfold that when someone is looking for a facility where their family member might spend the rest of their life …. Social media and word of mouth are very, very powerful.”