Page 21 - Part 1 Navigating Electronic Media in a Healthcare Setting
P. 21
SVMIC Navigating Electronic Media in a Healthcare Setting
Data transmitted beyond an organization’s internal firewall
should be encrypted to make it inaccessible if it is
intercepted in transit.
Standard short message service (SMS) and instant messaging (IM)
text messages (the types commonly used by most everyone today)
often fail on all these counts. Senders of SMS and IM text
messages have no control over the final destination of their
messages. They could be sent to the wrong number, forwarded by
the intended recipient or intercepted while in transit. These types
of apps have no way to verify authentication, which is required by
the Security Rule, and provide no mechanism to block
unauthorized access.
There is no message accountability with SMS or IM text messages
because anyone could pick up someone’s mobile device and use it
to send a message – or indeed edit a received message before
forwarding it. Notification settings on phones may allow the
message to be displayed on the screen, making it viewable by
others, and copies of SMS and IM messages may remain on
service providers’ servers indefinitely. For these reasons (and
many more), communicating PHI by standard, non-encrypted, non-
monitored and non-controlled SMS or IM is texting in violation of
HIPAA.
Secure messaging solutions resolve texting issues by
encapsulating PHI within a private communications network that
can only be accessed by authorized users. Access is gained via
secure messaging apps that function in the same way as
commercially available messaging apps but with security
mechanisms in place to prevent an accidental or malicious
disclosure of PHI. Once logged into the app, authorized users
Page | 21
