TEXT MESSAGES used for Patient Care are NOT HIPAA COMPLIANT!

TEXT MESSAGES used for Patient Care are NOT HIPAA COMPLAINT because the telecom servers used to sent those messages are not secure, and the telecoms store the actual content of the messages for up to seven years!

Additionally, the telecoms do not now, nor will they likely in the future, provide proper HIPAA / HITECH training to their employees. Telecoms also do not provide Letters of Agency to outside contractors and are not compliant with data and log retention policies required under the HITECH portion of HIPAA

All of these things are required to meet the compliance requirements required by HITECH.

Telecoms Store SMS Text Message Details - NOT HIPAA Compliant - EMR and HIPAA

In a recent article in Wired Magazine, Wired included data which showed the SMS message and data retention policies of the four major wireless carriers. Wired included data which showed the SMS message and data retention policies of the four major wireless carriers

Wired's article, which can be found here, was based on a secret memo obtained from the Justice Department.

The memo exposes the length of time which data is stored by wireless carriers. Of concern in this article is both the amount of time that TEXT or SMS messages are stored by wireless carriers and the fact that that data is neither stored on secured servers or by employees and vendors who have been properly trained under the HITECH portion of the HIPAA requirements.

While the second line of the chart shows that the CONTENT of the message may only be contained for 3 to 5 days, the fact that this is saved at all raised questions under HIPAA / HITECH.  Because the first line states the DETAIL of the message is saved for up to 7 years, we can realize that some providers choose to keep the CONTENT of the message in the DETAIL of the message.  Either way, the fact that they are saving confidential patient PHI for even a second, along with the fact that the data it is running through unsecured servers and data circuits, this is clearly a violation of HIPAA / HITECH.


The next two line show IP SESSION and IP DESTINATION information.  Because IP assignment records are kept for various periods by the different carriers, this ties patients and healthcare providers together because the IP session and destination information can be directly tracked back to a specific provider who is caring for a specific patient.

In the last lines, we see the call detail record retention rates.  While many may construe this to pertain only to voice calls, SMS or TEXT MESSAGES are part of those call records and, once again, this can be used to tie specific providers to specific patients.

To both handle and save patient PHI data, as well as to meet the requirements of HIPAA / HITECH, requires the use of:

• secure servers;
• controlled access to the servers;
• controlled access to server rooms based on a need to have access basis only;
• security training on a minimal time table of at least twice a year, and;
• a written business associate agreement between the healthcare provider who uses the telecom provider's text messaging service and the service provider.

Because the telcos also have outside vendors who work with the switches and software, this will also require business associate agreements with everyone who comes in contact with the switches and even the buildings in which they are housed.  The HITECH portion of HIPAA also requires those same business associate agreements and training for everyone who maintains the cellular towers and the lines between the towers and the provider's switches.

The servers used by telecom providers are not HIPAA / HITECH secure.  I have yet to see a telecom provider, wireless or landline, sign a business associate agreement with a healthcare provider.  I also believe that it is unlikely that any telecom provider will ever sign a business associate agreement because telecoms love to hide behind the fact that they are regulated by the Federal Communications Commission and are not beholden to any other rules or regulation.

The problem is the fact that SMS / TEXT messaging is so readily available.  Almost everyone who has a smart phone, cell phone, tablet, or any other device which is SMS equipped has SMS / TEXT messaging capability.

Because SMS / TEXT messaging is so easily used, via small and portable wireless devices, text messaging is has the potential to be, and is perceived to be, an extremely valuable tool to healthcare.  In reality, it is.  From a security standpoint, it is not.

Unfortunately, and primarily because of the non-compliance with HIPAA / HITECH, SMS and TEXT messaging use must be prohibited by healthcare providers at this time - prohibited until the issue of PHI, data security, server security, network security and HIPAA / HITECH compliance is addressed.

The solution is not going to be implemented at the level of the wireless provider and telcos.

The good news is that there is a solution.  The solution is the adaptation of secure SMS and TEXT MESSAGING systems from third-party providers.  While this places an additional burden on healthcare providers, it is the only way to ensure that patient data is properly protected and secured as we move forwarded under HIPAA / HITECH.

================================================

Read all of ChicagoNetTech's security blogs at: http://networkbastion.blogspot.com/

If you have any questions, or are looking for hosted solutions, please feel free to contact me.
Copyright © 2012, Bruce Barnes, ChicagoNetTech Inc, All Rights Reserved