This week on the HIPAA Vault Podcast, we discuss the do’s and don’ts of texting in Healthcare.
Want to learn more? Check out our blog post on HIPAA-compliant text messaging!
Transcript:
Adam
Hello and welcome to The HIPAA vault Show, where we discuss all things HIPAA compliant in the cloud. My name is Adam Zeineddine and I’m joined today by CTO and founder of HIPAA Vault, Gil Vidals. Hi, Gil.
Gil
Hey, Adam. Hope things are going well for you. I’m looking forward to this episode.
Adam
Doing great. Thanks. Yeah, I’m looking forward to it as well. So last week we talked about the benefits of containerized when it comes to healthcare. And this week we’re going to keep our focus on healthcare as we do every week. But this week we’re going to be talking about the three do’s and don’ts of HIPAA compliant text messaging. So I’m going to give this a little bit of an intro. Gil, let me know what you think about it. So texting is becoming more and more important in the healthcare industry and it’s helping to revolutionize patient care. From providing faster communication between providers and patients, to ensuring secure storage of protected health information, HIPAA compliant texting technology brings a wealth of advantages today’s healthcare professionals. When we talk about the do’s and don’ts, which we’re going to in a moment.
Adam
Gil, what do you think in general about the advance of texting as a communication tool and platform within the healthcare industry? Do you have any thoughts on that?
Gil
Yeah, I have a comment for you. Kind of a funny story, Adam, that this SMS and texting may not seem relevant to some of our audience, some of the, should I say older doctors and even nurses and so on. When I recall in my story here, when I was introducing to my wife the Internet, when I started the HIPAA vault business back in 1997, I introduced the internet to her. And then she was looking at me like, well, who needs this internet? We already have faxing, we have letters. And then when she got on there, I introduced her to email and she’s like, I don’t know about this email stuff. Who needs this? Well, then she got into email. So now she’s faxing, writing hand letters and doing email. And then later I said, well, now there’s this new thing called texting.
Gil
She put her hands up in the air. It’s like, you got to be kidding me. It’s like we need yet another form of communicating. Well, warp ahead. She writes emails like crazy. She’s still sending a few faxes because she’s in the medical field where some older hospitals have faxing and she’s doing texting. So the moral of the story is that as human beings, we love to communicate. That’s what we do very well, and we have many different ways of doing it. So texting is the preferred way for the younger generation. So if you’re running a medical practice and you have younger patients as well, you need to consider that because that’s what they prefer. And frankly, it’s faster and it gets the attention over email. You may receive an email, your audience, your patients, may receive an email and frankly, just ignore it.
Gil
But when you send them a text, oh, they respond in seconds. So consider the response rate is much better for texting. So that’s another reason that you might want to consider adding that to your practice if you don’t already.
Adam
Okay. And when it comes to the don’ts of texting, let’s start there. So, as you mentioned, Gil, these communication methods have progressed, to say the least, as the years have gone by. I feel like texting in a way, has almost got a new lease of life. Sorry. So in the same way that Radio had a new lease of life with podcasting, it seems like texting has had a new lease of life when it comes to the use of online internet based voiceover IP and things like that tools. So the first don’t is don’t rely on standard text messaging service, as it’s inherently insecure. And Gil, if you could elaborate on that a little bit.
Adam
But I’ll give it a bit of a have whoever you’re text messaging through, so whoever your service provider is, your At T, Verizon, whoever it is, if they don’t guarantee that text message is not going to be listened to or intercepted, then you should not be using it to communicate with patients. Does that sound about right?
Gil
Yeah, I think that’s a good start, Adam. That’s true. You might be using a big company like you mentioned, Verizon or At T, and you might think, oh, well, they’re probably safe, let me just grab the doctor might just grab her phone and just send a text to a patient. Not thinking about what’s behind this technology, what’s actually there, not to mention even the Baa. So let’s say you do send a text message. Well, did you sign a business associate agreement with Verizon? Likely no. Did you sign it with Comcast? Likely no. Because they won’t even sign those. So you have to find a provider that will sign a Baa. And so there you go. There’s one legal step that you must follow and adhere to in order to have HIPAA compliant texting.
Gil
So now that’s not a technical requirement, but is a regulatory one. So you have to do that to check that box off. As far as the technology goes, once you have the Baa signed with your provider of texting, then they will have measures in place to ensure that when they send a text message, it goes out in an encrypted format and then when they’re communicating back, that it’s also going through secure channels.
Adam
Right. And I think that probably brings us on to the second don’t, which is don’t fail to do a risk assessment. Gil, did you want to talk?
Gil
Yeah. The risk assessment is important. No doubt, Adam, but the risk assessment is sort of a broad requirement for any medical practice to do your yearly risk assessment, but in particular for SMS, for texting. We have seen certain medical offices have a method to text that might be secure. So in other words, they’ve done their due diligence. They have a login to some service that when they type on the keyboard, that message goes out via text to their patient. But they’re trying to maybe save some money or maybe they just don’t know better. They have the same login for their entire office. So Betty gets on, Joe gets on, the doctor gets on the nurse. Everyone’s using the same login credentials.
Gil
So that’s a really poor practice because let’s say a month later, the manager of the office wants to know who sent this text to one of our patients. We need to review what was sent and everyone’s like, I don’t know. And there’s no way to trace back because everyone’s using the same login. Now, the right way to do it is to have everyone in the office have their own credentials and log into the texting platform. So that when you do need to discover who sent that a month ago, you just log, go to the platform and it’ll say, oh, it was Joe who did it. 330 in the afternoon on the 3 April, and you’d be able to identify that.
Gil
And by the way, that’s a HIPAA best practice or a security best practice to have individually identifiable credentials and not use a group one.
Adam
Yeah, and that brings us on to the third don’t, and that is don’t include anything in the text that you wouldn’t want to be added to the medical record. And to elaborate on that a little bit, it’s basically texting. We do it personally a lot, and so we can naturally move towards being informal. But when it comes to HIPAA compliance, you want to make sure that because the text messages back and forth are being recorded and logged for HIPAA, that anything that’s discussed on the call, certainly from the provider’s point of view, is within the realms of medical professionalism. So that’s just a kind of main don’t. Maybe don’t be talking about what the person was wearing at the appointment or anything kind of superfluous like that. That would not be something to do. Okay, so there’s the three don’ts.
Adam
I think the first Do Gill, it kind of mirrors the first don’t, which is the first don’t was don’t use a standard texting service. So we would encourage you to use a HIPAA compliant texting service and link in the description below. Hipavolt does provide a HIPAA compliant text messaging service for healthcare provider to use. So please do check that out. But one of the key features, whether you use HIPAA vault text messaging service or others, is that the provider signs a business associate agreement, right?
Gil
Yeah, that’s right, Adam. They have to sign that. And then, of course, you’re choosing a company that has technology as their expertise and can ensure that the access to the internal platform within the organization is handled properly where only certain staff have access to it and there’s a lot that goes into that. So having the BA in place really shows a lot of due diligence by the provider and I think that’s why it’s important to do that. So like you mentioned, the vault has a platform you could use and there are others. You just do your research and pick one that you feel is good for your company.
Adam
Okay, so that’s the first do. The second do is ensure text messages are retained and integrated with the patient record. Would that be considering logs and monitoring?
Gil
Yeah, the patient record. So in the office there’s a lot of automation these days and there’s the EMR and the management of the health record. So when you send a text message, you want it to be integrated with the medical record of that individual, of that patient. So you can have automation software that when you send the text, it gets connected to their record. So when you go in to review their record, you can see all the communication, the email, the faxes texting. You want to see all that in one place. And I think that’s very handy for the medical practitioner to see all the communication in one place.
Adam
Yeah, I think that makes sense, especially because you don’t want too many silos of information when it comes to HIPAA compliance and medical records because you do need to be able to have a full view of the patient records when you need them in order to provide the right care. Okay, so the third do is provide regular training for your staff. I think this is also probably one of the broader ones, but I would say certainly make sure that they’re trained linking up to the earlier points in the don’t that they’re trained to know what they should be using and shouldn’t be using the texting for. But then also perhaps more general HIPAA training as well.
Gil
Yeah, the training is important. It’s also important once you’ve done the training for your staff to have it documented. You want to be able to show what training modules were given the date, even have the employee sign off on and say, yes, I’ve received this training on this date. That’s important. If you get audited, if you had a breach and the patient records were leaked, you’re going to have an audit. And then you want to be able to demonstrate to the auditor that you are doing the training that you’re not negligent on the training to your staff. Some of the training is simple things, Adam, like don’t go take your lunch break and leave your computer unlocked where anyone that walks by can see the patient record or the EMR or the texting record just sitting there. That’s a very simple thing.
Gil
But it still requires training. So it’s top of mind. And of course we mentioned earlier, don’t use a group credential instead use an individual credential and don’t share your credentials. So Joe might look at Susie and say, oh, I don’t remember my credentials to log into the texting platform. Can I borrow yours? Oh, sure. Here you go. That’s not the right thing to do. So there’s lots of things that seem small and consequential, but they do matter, and the training is important to cover those kinds of things.
Adam
Absolutely. So there you have it. There’s the do’s and don’ts of HIPAA compliant text messaging. What kind of questions do you have about this? Feel free to leave them in the comments below, or reach out to us at podcast hipvot.com. And you can also tweet us at HIPAA hosting. Before we go, Gil, were there any other considerations?
Gil
Yeah, I’d like to just mention it is frustrating, I know, because I have family members that are in the medical field, and I feel their pain because I’m in the technology field. I’m one of the few in my family decided to go with technology and not be in the medical practice.
Adam
The dark horse.
Gil
Yeah, I’m the dark horse. So I have, in my family, people in the medical field, and they tend to get frustrated with the technology. Oh, it’s not working the way it’s supposed to. And I get that. Right? I mean, that technology is not perfect, and it can be very frustrating. And the machine slows down. You feel like you want to grab that laptop and throw it out the window. But it is important, even though you’re a medical practitioner, even though your area of specialty is not technology, but it’s healthcare. You can’t these days just ignore the technology or just give the responsibility to the It guy that shows up once a month at your office to check on the backups. It’s not good practice just to give them the whole thing as if it were just their responsibility.
Gil
The medical practitioners, the administrators, have to know enough about what’s going on to be able to ensure that the medical operations are handling all of the sensitive data properly. And I admit, it’s tempting for the office manager to say, I don’t know, that’s Joe’s job. That’s our It guy. His name is Joe. He does all of that well. It’s his responsibility to get the work done, but it’s the responsibility of the owner and the administrators to understand enough to ensure that the work is getting done. And that includes the texting platform.
Adam
Fantastic. Well, that’s it for this episode. Please be sure to subscribe. And if you enjoyed this video, leave us a review. It really helps us, and it’ll help you to be able to watch more of these episodes as well. And until next time, thanks for stopping by.