Mobile Devices
When employees use mobile devices to access patient information
The widespread use of mobile devices in healthcare offers fast and convenient access to patient information but also poses significant security risks to protected health information (PHI). Organizations must work to ensure that patients' protected health information remains secure and regulatory guidance is followed. Recent statements by the Centers for Medicare and Medicaid Services (CMS) and the Joint Commission now allow texting for patient orders with the use of appropriately configured secure texting platforms, emphasizing the need for robust security measures.
Conduct a Risk Assessment
Evaluate the use of mobile devices within your organization to identify how PHI is accessed and transmitted. Determine if your electronic health record (EHR) has messaging capabilities and what security measures are in place. Analyze what type of patient information is currently being communicated on mobile devices to assess if there may be information that should have been entered into the legal medical record but was not.
HIPAA Compliance
When accessing and sharing PHI via mobile devices, physicians and staff members are obligated to safeguard patient information. Implement and enforce policies to protect PHI when accessed via mobile devices, ensuring all practices meet HIPAA standards.
Device Management
Determine if your organization will provide physicians and staff with devices or if the organization will permit personal devices to access and transmit PHI. Each option has advantages and disadvantages and will require policies and procedures to ensure proper handling of protected health information.
- Organization-Owned Devices: Providing devices with secure messaging software to physicians and staff can be expensive, but this option gives the organization more control and ensures that information is shared through HIPAA-compliant platforms. Provide encrypted, HIPAA-compliant devices to staff, ensuring strict usage policies and user agreements.
- Bring Your Own Device (BYOD): Allowing staff to use their personal devices is a less expensive option but does increase the risk of unauthorized access to PHI and data breaches. If allowing personal devices, ensure there are additional strict security processes to help mitigate the increased risks of unauthorized access to PHI.
Policy Development
Ensuring policies and procedures are current, following federal and state statutes and all regulatory requirements is crucial to ensure there are no HIPAA or documentation risk issues. Create comprehensive policies addressing:
- Secure Messaging Platforms: Use encrypted platforms for all PHI communications that are integrated within the EHR system. If your EHR system did not initially have a secure messaging platform available, check back with your vendor to see what new technology may be available now.
- Texting Practices: Ensure all patient and staff communications occur over secure platforms, prohibiting the use of personal messaging systems. Create standards for what kind of information can be communicated outside of the EHR if your system does not immediately transmit the texts to the legal medical record.
- Texting Orders: Computerized provider order entry (CPOE) is the safest and preferred method for communicating patient orders. However, CMS and The Joint Commission now allow texting for patient orders if appropriately configured secure texting platforms flow directly into the EHR. If using this option, ensure compliance with all regulatory requirements.
- Security Measures: Implement standard security measures such as automatic screen locking, strong passwords, and remote wipe capabilities for lost or stolen devices.
- Usage Protocols: Prohibit shorthand or abbreviations in texts, enforce reporting of inappropriate use, and restrict personal device use for clinical images.
Additional Security Practices
Additional practices that will help ensure PHI security and reduce the risk of patient safety events include:
- Immediate Reporting: Report and remotely wipe lost or stolen devices.
- Employment Termination: Remove network access from personal devices upon employment termination.
- Discoverability and Retention: Text messages on personal and work-designated devices are discoverable during litigation. Remind staff not to text anything that would not be appropriate for documentation in a patient's medical record. If a situation requires urgent communications, request an immediate call from the recipient of the text. Align text message retention policies with medical record retention standards.
- Digital Distractions: Staff members may be tempted to answer calls, read personal text messages, or check their social media accounts on their personal mobile devices while on duty, which can distract them from their work and lead to medical errors. Limit personal use of mobile devices to reduce distractions and potential medical errors.
Infection Control
Educate staff on infection risks associated with mobile devices and enforce proper hand hygiene practices. Consider policies restricting mobile devices in procedural rooms.
Training
Incorporate mobile device policies into HIPAA and security training, emphasizing protection against malware and phishing attempts.
For more information, please see our associated practice tips:
Medical Records: Protecting Patient Confidentiality
Complete Medical Records: Your Best Defense
Medical Record Retention Recommendations for Physician Office Practices and Hospitals
Resources
CMS. (2024, February 8). Texting of Patient Information and Orders for Hospitals and CAHs. Department of Health & Human Services.
ECRI. (2023). Effective Communication among Healthcare Providers. ECRI Health System Risk Management Guidance
ECRI. (2018). Personal Electronic Devices in Healthcare. ECRI Health System Risk Management Guidance
HealthIT.gov. (2019). You, Your Organization, and Your Mobile Device. The Office of the National Coordinator for Health Information Technology (ONC). DOI: https://www.healthit.gov/topic/privacy-security-and-hipaa/you-your-organization-and-your-mobile-device
The HIPAA Journal. (2024, February 24.) Is Texting in Violation of HIPAA? DOI: https://www.hipaajournal.com/texting-violation-hipaa/
The Joint Commission. (2024, June 5). Use of secure text messaging for patient information and orders. The Joint Commission.
Medical Mutual Insurance Company of Maine's "Practice Tips" are offered as reference information only and are not intended to establish practice standards or serve as legal advice. MMIC recommends you obtain a legal opinion from a qualified attorney for any specific application to your practice.