LTC Compliance Alert – Text Messages a
nd PHI Do Not Mix! Is There a Solution?
By Rod Baird
Unsecure Text Messages between facility staff and attending physicians are citable as deficiencies under F tag 164 – Patient Privacy. North Carolina’s Division of Health Services Regulation (survey & certification) just issued a notice to all facilities of a recent survey citation (*quoted at the end of this blog).
This is a problem I’ve suspected for several years. An AMDA colleague and I were debating the relative benefits of various ‘instant’ communication strategies. He stated his physicians favored text messaging with facility staff because of the convenience. I cited the lack of security as an issue. Now, thanks to the State of NC, this question seems to be settled.
Current Best Practices
My medical group, among others, uses call routing software that forwards calls to the provider covering a particular facility. We expect that on-call provider to answer calls and directly communicate with the nursing staff. Outside of emergency calls, we expect facilities to queue up calls so all routine communications happen on a schedule. All calls are recorded, so an official record is “available”. Those recordings are stored in a HIPAA compliant environment, and cell phone calls are extremely difficult to ‘hack’.
Of course, nothing will prevent eavesdropping, so providers using phones have to be vigilant about verbalizing the patient’s identity. We use call routing software so the physician’s personal Cell Phone number can be shielded from the facility staff so that we avoid creating an avenue for text messaging.
Both Strategies Fall Short
Text messages that aren’t secure (encrypted) violate HIPAA, and even when they are ‘secure’ they are not usually incorporated in the respective medical records. If a provider were to lose his/her phone, the messages may very well be stored in the phone’s memory.
How Can a Practice Prove a Phone was Secured?
Only by installing remotely administered ‘wipe’ software on the cell phone, can you satisfy the full expectations for privacy protection. Telephone calls satisfy the security requirements, but fail at being easy to index and search.
Some LTC software vendors (e.g. Point Click Care) offer secure text messages, and some Physician groups have adopted commercial Apps (we use Brosix, others use Twistle). These strategies fail because the proliferation of interfaces, and requisite passwords, can crush physician productivity. The ultimate strategy is to interface electronic records, but until the industry settles on a set of interoperability standards, we need a short term solution.
A Standard to Rule Them All
The solution I propose is that the LTPAC community (at the state or regional level) tries to adopt a standard secure texting application. That way there is a model that can be supported across multiple provider communities. As both a Practice Manager and an EHR vendor, we’d support any model that had common use – this isn’t a proprietary issue. Let’s incorporate what nurses and physicians are actually doing in a compliant fashion. Text messaging is being used because it solves a problem – isn’t it time we listened to the people actually delivering care?
Who knows – if this is successful we might actually begin exchanging useful clinical information that leads to better care.
*Email notice from North Carolina’s Division of Health Services Regulation regarding Resident Identifiable Information
Subject: [DHSR.NH.Administrators] Personal Cell Phones and Resident Identifiable Information
Hey all,
I just wanted to bring up an interesting deficiency that we had recently. The situation was a facility was allowing staff to use their personal cell phones to text information to the MD and the MD was texting back directions, etc. to the staff for resident care. This is a great use of technology and there is no intention here to stop new innovative ways of keeping the MD informed of resident care, but if these types of devices are used then it is imperative that the information on the phone is protected in some way to be in compliance with the privacy tag at F 164.
There are many ways that this can be accomplished through the utilization of encrypted software that protects the data through specific applications that are designed for this. We would also expect the facility to have policy and procedures to direct the staff in the use of the information, how is the information being transferred to the residents record to be able to establish a documentation trail and how is the facility assuring that the information is both in the record and then if on a cell phone how is that information being deleted once it has been transferred to the resident’s record. All of these are important issues that need to be addressed if the facility is going to utilize this technology.
We are sure that there are other issues too that I have not addressed but what is important is that the facility have a dialog internally and that the facility have policy and procedures to assure that the resident identifiable information is protected according to HIPAA. I hope that this will help give you all some food for thought. Questions let me know.
Cindy
Cindy DePorter, MSSW
Department of Health and Human Service
Division of Health Service Regulation
Assistant Section Chief Acute and Home Care &
Manager Quality Evaluative Systems NH Licensure and Certification
About the Author: Rod Baird is founder and president of Geriatric Practice Management (GPM) and gEHRiMed. Since 1977, he’s led provider and management organizations that deliver care to Medicare/Medicaid beneficiaries. He also was chosen to be a part of the Centers for Medicare and Medicaid Services’ (CMS) Innovation Advisors Program. Originally posted on LTC Management with permission to syndicate.