At long last, a positive response from The Joint Commission on Secure Texting!
On May 17th, 2015, we published a blog post, "To Text or Not to Text? Zipit's Response." In it, we called on The Joint Commission to revisit its position on the use of secure messaging platforms for healthcare and to develop standards that would safely enable physicians to use secure messaging solutions in order to improve patient care. Eighteen days shy of the 1-year anniversary of our call to revisit the issue, The Joint Commission has revised its position on the use of secure texting and has approved the use of secure text messaging platforms "for all accreditation programs."
We applaud The Joint Commission for changing its position and for highlighting key requirements that should be met in order for a secure messaging solution to be considered viable for use in texting orders on patient care, treatment or services. Of course, Zipit has had these requirements in place for years, as well as other features we feel are critical in protecting patients and physicians.
In the May issue of Joint Commission Perspectives periodical, The Joint Commission allowed the use of secure messaging solutions provided that the text messaging platform being implemented meets the following requirements:
- Secure sign-on process
- Encrypted messaging
- Delivery and read receipts
- Date and time stamp
- Customized message retention time frames
- Specific contact list for individuals authorized to receive and record orders
The update is effective immediately and enables physicians to text orders provided that all professional standards of practice, law and regulation, and policies and procedures are observed and followed.
The decision to use secure texting for specific orders is something that many healthcare organizations have struggled with, even if they have been using a secure messaging platform, due to the vagueness of the regulations in place. For orders in particular, many covered entities still have policies in place for voice confirmation, which pose the risk of being misinterpreted, rather than using secure messaging - where the order is recorded and clear in the first place. In this case, The Joint Commission is leading the charge to improve healthcare practices.
The Joint Commission's update also stated that their staff was currently assessing the need to further delineate the expectations for secure messaging platforms as well as policies and procedures for texted orders within the accreditation standards. We look forward to working with The Joint Commission and the Department of Health and Human Services in this regard. Given our experience in providing HIPAA compliant and critical communication services to healthcare customers since early 2011, we believe we know a thing or two about these topics.
In the interim, The Joint Commission recommends that healthcare organizations observe the following:
- Develop an attestation documenting the capabilities of the secure text messaging platform
- Define when text orders are or are not appropriate
- Monitor how frequently texting is used for orders
- Assess compliance with texting policies and procedures
- Develop a risk management strategy and preform a risk assessment
- Conduct training for staff, licensed independent practitioners, and other practitioners on applicable policies and procedures
We believe that there are other items that need to be added to this list and will continue to work with our respective contacts at The Joint Commission and other organizations to make sure that this guidance is complete and all ambiguity is removed for the benefit of all parties.
Here is a preview of what we believe must be added to the official requirements:
- Secure messaging platforms must have the ability to remotely lock and wipe devices containing PHI, as documented in DHHS standards
- Organizations should require all communication to be logged in a secure environment for later recall by the organization. Even if the data is removed from the device, it still needs to be kept as part of official records per official mandates.
- A clear mandate should be made that all secure messaging platform providers abide with the Business Associate Agreement as spelled out by the HIPAA regulations. If a company stands by its technology, then it should also be ready to commit to that in writing as part of a BAA. Hiding behind the "transport only" excuse is just that, an excuse not to take the responsibility of what companies like Zipit take seriously.
- Clear guidelines of when standard secure texting should be used and alternatively when secure critical messaging should be used. (Not all messages are equal in urgency)
Finally, it is generally understood that many healthcare organizations have taken the initiative to deploy secure messaging solutions to replace unsecure communication methods like carrier based texting and legacy paging devices. If the requirements for secure messaging are to be taken seriously, then it is time to finally address unsecure devices like pagers. Sure they are cheap and it may be argued that they can be used in certain applications that do not have any risk of containing PHI, but more often, they are used by people that could benefit from directly communicating PHI to improve productivity. In these cases, they should not be used and should be forced to follow the same rules as smartphones (which are even more secure than pagers).
After all, the DHHS requirements on mobile devices should apply to all of them - including pagers. Additional requirements, recommendations, and guidance regarding the use of mobile devices from DHHS can be found here.
We believe this to be a very important topic and will share additional perspectives in future blog posts.
For reference, a recent and timely article by Jean Wendlend Porter, entitled HIPAA and eHealth: Avoiding Problems has a great summary on the definition of PHI as well as some very sensible suggestions.
Again, we applaud The Joint Commission on this major step and look forward to working with them on these initiatives.