In a move that was welcomed by many healthcare professionals used to texting as a routine part of their lives, The Joint Commission recently rescinded its five-year ban on the texting of orders. Some caution is still necessary, however.
TJC now permits licensed practitioners to text orders through a secure text messaging platform, but hospitals may have to do some research and shopping around to find the texting platform that meets the TJC requirements. Hospitals must implement a secure messaging platform that includes a secure sign-on process, encrypted messaging, delivery and read receipts, date and time stamp, customized message retention time frames, and a specified contact list for individuals authorized to receive and record orders, TJC said in its announcement. (The announcement is available online at http://bit.ly/1VXYIV7.)
Hospitals also must specify how text orders will be documented in a patient’s electronic health record. In addition, TJC suggests hospitals take these steps if they are going to allow texting:
- Develop an attestation documenting the capabilities of their secure text messaging platform.
- Define when text orders are or are not appropriate.
- Monitor how frequently texting is used for orders.
- Assess compliance with texting policies and procedures.
- Develop a risk-management strategy and perform a risk assessment.
- Conduct training for staff, licensed independent practitioners, and other practitioners on applicable policies and procedures.
Text ordering was formally prohibited by TJC in 2011, the statement noted, because the organization was concerned about the use of unsecure text messaging. It also was concerned that texting applications were unable to verify the identity of the person sending the text or to retain the original message as validation of the information entered into the medical record, TJC explained in the announcement.
TJC is not in a position to approve or disapprove any particular messaging system, notes Allen Briskin, JD, senior counsel with the law firm of Pillsbury Winthrop Shaw Pittman in Los Angeles. That means the hospital is obligated to ensure and document that secure messaging system fits into its overall privacy and security compliance program, Briskin says. Even with TJC’s blessing, it is not enough to announce that texting orders is now allowed at the hospital, and even specifying what messaging system to use still doesn’t fulfill the hospital’s obligations, he says.
Hospitals will have to analyze whether text orders can be incorporated in such a way that they comply with the institution’s existing policies and procedures, Briskin says.
“One of the biggest problems with security in any organization is that individual activities or technologies aren’t adequately integrated into the whole,” he explains. “No one adequately analyzes how one piece fits into the larger whole, and your ability to manage the whole. That can lead to problems from the wrong people using the system, people using the system incorrectly, or doing something that inadvertently opens a security breach.”
Choosing the platform, or platforms, for text messaging will be one of the first challenges, Briskin notes. The hospital should investigate potential messaging platforms and devices, and Briskin emphasizes that the process must be thoroughly documented. If any compliance or legal challenges occur later, the hospital must be able to show that it conducted due diligence in determining what systems were most appropriate and secure. That will be particularly important if there is an allegation that the hospital failed to comply with HIPAA.
“The difference between a security breach and a HIPAA violation is being able to produce documentation showing that your conduct was reasonable leading up the incident, and that the breach was not the result of your failure to perform your duty,” Briskin explains.
Personal Devices Pose Challenges
Advances in secure texting technology led to the policy change, but TJC did not specify whether personally owned devices, such as smartphones and tablets, can or should be used for texting orders. That is likely to be a thorny issue for hospitals, Briskin says, because the natural inclination will be for clinicians to use the smartphones and tablets that they already use for personal texting. That is not necessarily a good idea, he says.
If personal devices are allowed, they still will have to use the text messaging platforms that the hospital approved, Briskin notes. It is unlikely that a hospital will conduct its due diligence on text messaging platforms and allow clinicians to use the most commonly available apps, he says, because they are not designed to provide the kind of security that is necessary for text ordering.
In addition, clinicians may be unwilling to use their own devices once the hospital explains what it requires for that privilege, Briskin says. If a device is used to store or transmit protected health information (PHI), the hospital must have the ability to access that device remotely and erase all data on it in the event it is lost or stolen, he says. That is a common security feature applied to employer-issued laptops, smartphones, and tablets, but clinicians may balk at the idea of allowing that kind of access and control of their personal devices, Briskin says.
“You can use your personal device to access our information assets, but you’re consenting to the installation of technology through which we can wipe your device if you need to,” Briskin says. “That may sound reasonable to the individual at first, thinking you’re not going to lose your phone and understanding why the PHI has to be wiped. But then they’re going to think about how much control of their personal devices and data they’re giving to their employer and may not like that at all.”
PHI on Device Creates Risk
People typically have so much data on their devices, some of a personal nature and some simply resources like music and photos, that the idea of allowing their employers to access the device will seem intrusive, Briskin says. Even clinicians who are not bothered by the employer having access may think twice before consenting to a remote wipe of the device if it is lost, he notes. Not everyone backs up their devices regularly, and losing all your tunes and pictures would be no small matter.
Once those risks are understood by clinicians, there likely will be much less interest in using their own devices, Briskin says. The use of personal devices, and the access that it gives the employer, also will be more problematic with a unionized workforce.
The hospital also could take on potential liability by having access to the user’s personal information, Briskin says. If the employer has access to any data on the device that could be considered PHI, it is reasonable to conclude that the hospital is obligated to protect that PHI just as it does a patient’s PHI, he says. HIPAA does not require that the PHI be obtained in the course of providing healthcare services, so the data on a clinician’s phone could qualify. State laws also could obligate the employer to protect other, non-PHI information on the device, Briskin notes.
“I think the urge for convenience will lead to employers trying to figure out ways to let people use their personal devices. That desire to use your own phone and not carry around a second device will be very strong,” Briskin says. “The second wave will be switching to a separate device after both the employer and employees realize the obligations and potential risks of using a personal device for this kind of data.”
- Allen Briskin, JD, Senior Counsel, Pillsbury Winthrop Shaw Pittman, Los Angeles. Telephone: (213) 488-7167. Email: