- Email: [email protected]
Hitech Novice
Legal Matters
John R. Clark, JD, MBA, NREMT-P, FP-C, CCP-C, CFC, CMTE
Hitech Novice Dear LM, My program uses smartphones for crew communication. Dispatch sends a text message via SMS at the start of a transport and then the phone is used for everything from voice calls for patient report and medical control to text messaging between crewmember about restocking or getting equipment from the aircraft or ambulance. Occasionally, the receiving physician will text a question or send an order about the patient to the crew’s phone. Usually this communication is on program supplied devices, but if you ask the right comm spec for a favor, I know that some team members have dispatch info sent to their personal phones as well. Is this kind of text messaging a HIPAA violation? I’m not going to lose my house over this. Signed, HITECH Novice (address withheld) According to a Forrester Research report,1 6 billion short message service (SMS) messages are sent every day in the United States, and over 2.2 trillion are sent a year. This number does not include text messages that are sent through other systems like iMessage, Kik, Snapchat, and so on. Of course, the majority of those are sent in a social context and do not include Health Insurance Portability and Accountability Act (HIPAA)-protected information; however, the texting culture and the supporting technology is a part of everyone’s day. The genesis for this article was a question about HIPAA compliance; however, a second issue that is beyond the privacy concerns of text messaging is that of crew safety. Clearly, instant access to information is a good thing in the fast-paced world of critical care transport; however, the distraction of having all of these data at our fingertips must be considered. A 2009 Virginia Tech study2 using real-time data collected from a video camera in over-the-road trucking found that a driver was 23 times more likely to be involved in a crash if texting. Another study from the University of Utah3 used data from college students texting while in a driving simulator and found that they were 8 times more likely to be involved in a crash. In each study, the average time the driver’s eyes were off the road was 5 seconds or enough time to travel the length of a football field at normal highway speeds. Recently, there has been an increased awareness about the risks of texting and driving, but the risk is not limited to the ground. In an August 2011 crash of an A-Star that killed 4 people, the National Transportation Safety Board also cited the distracting influence of 85 text messages the pilot exchanged with an off-duty coworker during the course of his work shift, some during critical preflight and flight operations.4 In 96
another incident in February 2013, a charter aircraft’s propeller hit ground lights at John F. Kennedy airport during taxi, damaging the aircraft (and the lights) and closing the taxiway for 2 hours. The pilot admitted that he had been distracted by his cell phone and had lost situational awareness.5 Similarly, the crew of an Airbus A320 forgot to lower the gear and had to abort a landing after the 13,0001-hour captain became distracted by incoming text messages on his mobile phone.6 The Australian Transport Safety Bureau report cited loss of “situational awareness,” leading to poor decision making and hampered communications. Although we need to be concerned about a HIPAA violation when an errant text about Uncle Bob’s cirrhosis creates a breach of patient privacy, it pales in comparison to the risk that text messaging poses to crew safety. The baseline is established with the HIPAA Security Rule, which establishes national standards designed to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information (PHI).7 A recently published report in the American Journal of Public Health8 looked at whether text messages containing PHI would be permissible under the HIPAA Security Rule. Although the HIPAA Security Rule has some flexibility to allow for technological advances, the rule in its current form creates uncertainty about how to make text messaging policy decisions. Text messages must comply with HIPAA, and it is the sender’s responsibility to ensure that they do. In order to meet the intent of the rule, you are faced with 3 options for text messaging: (1) do not use it at all, (2) restrict use so that no PHI is transmitted, or (3) implement a system that meets the guidelines. The HIPAA Security Rule applies to PHI that is transmitted by “electronic media” used to exchange data that already exist in electronic form. Unlike the transmission of PHI via radio, telephone, or facsimile, text messaging involves data that exist in electronic form before transmission and therefore could qualify as “electronic media” that is specifically protected under the Security Rule. Because there is an operational efficiency to including PHI in text messages, not using text messages does not make sense. Therefore, to be in compliance with the Security Rule, covered entities must conduct a risk analysis looking for potential vulnerabilities to the confidentiality of electronic PHI and then implement strategies to eliminate those vulnerabilities. As far as the medical control physician sending “orders” via text messaging, the Joint Commission addresses this in the standards by stating that “it is not acceptable for physicians or Air Medical Journal 33:3
licensed independent practitioners to text orders for patients to the hospital or other healthcare setting. This method provides no ability to verify the identity of the person sending the text and there is no way to keep the original message as validation of what is entered into the medical record.”9 With that guidance and the other concerns addressed later about the security of text messages, I cannot recommend texting physician orders. The primary risk in text messaging is that PHI will be exposed to someone who should not have it. Much of the risk is outside of the covered entity’s control once the text message has been sent. A transposition of a single digit can mean that the message never reaches the intended recipient, and even when it is received properly, there is no guarantee that the message will be safeguarded by the recipient. The easiest step is to ensure that all devices have a passcode lock. But, if all that is set is a passcode, the device is still unencrypted; the passcode merely locks the screen and does not do anything to secure the files stored on the device. Encrypting the device secures the files when the device is at rest. Because the technology exists, the strength of a good security system must focus on educating users to the risks of text messaging and enforce the use of common sense approaches to keeping data on devices secure such as not allowing global logins and passcodes and remind users not to share their passwords with anyone. A 1-time discussion is usually not adequate, and the best approach requires regular training and frequent reminders about the need to use good security practices. Remember a single accidental SMS containing PHI could result in fines up to $50,000, and repeated violations can lead to $1.5 million in fines in a single year, not to mention the damage done to an organization’s reputation. To meet the requirements of the Security Rule, you must ensure that every mobile device is configured and locked down appropriately. Set a passcode for the device, the longer and less obvious the better. Use available technology that is installed on the device itself or a third-party program like Kapersky (Woburn, MA) or AVG (San Francisco, CA) that encrypts all of the data on the device. One of the strongest automatic encryption systems is Apple’s own encryption on the iPhone/iPad. Apple uses the Advanced Encryption Standard algorithm (AES), a data-scrambling system published in 1998 and adopted as a US government standard in 2001.10 Cryptographers believe that a truly random 256-bit AES key is unbreakable, and the National Security Agency approved AES-256 for storing top secret data. Even though the technology is robust, it still requires the human component of the system to use the passcode. Another important point that your question raises is the use of personal devices versus program devices. Depending on how your dispatch paging system works and what information is contained in the text message, it should be directed only to devices that the program has control over. I would strongly discourage sending PHI to personal mobile devices. May–June 2014
In reality, there is never a guarantee that a message is secure. First, just human error alone will route a message intended for 1 person to accidentally end up going to another. Between the send and receiving, you cannot guarantee that the wireless provider is not reading and/or archiving the message, that a government is not intercepting them for antiterrorism purposes, or that a hacker isn’t intercepting them just for the challenge of doing so. And after a message is received, there is no guarantee that the message won’t be forwarded or archived for malicious purposes or that the device is lost and that alone creates a PHI breach. Unfortunately, there cannot be an expectation of privacy with any text message. This doesn’t completely eliminate all text messaging solutions. The Joint Commission established Administrative Simplification provisions for developing secure communication systems. Under the Administrative Simplification guidelines, the following 4 major areas are critical to compliance: 1. Secure data centers. HIPAA requires these centers to have a high level of physical security as well as policies for reviewing controls and conducting risk assessment on an ongoing basis. 2. Encryption of data both in transit and at rest. 3. Recipient authentication that allows the sender to know if, when, and to whom a message has been delivered. 4. Audit controls with the ability to create and record an audit trail of all activity that contains PHI that includes the ability to archive messages and information the messages, retrieve that information quickly, and monitor the system. To mitigate your risk when using text messages that contain HPI, first limit the number people authorized to use text messaging and provide frequent training. Use policies and procedures about PHI in general and make sure that concepts like the Minimum Necessary Rule are understood. On all devices, implement password protection and encryption and have policies regarding retired device sanitization, message retention schedules, and message format and style conventions. Use passwords that are 10 digits and not obvious, and certainly do not attach a label to the device with the password or even a reminder. Finally, document all phases of decision making regarding text messaging, including the decision to adopt alternative equivalent protections under the Security Rule. Text messaging is allowable but with the caveats that were addressed previously. The weak link in the chain is the people who are sending and receiving these messages, not the technology.
References 1. Forrester Research Mobile Media Application Spending Forecast, 2012 To 2017 (US). http://blogs.forrester.com/michael_ogrady/12-06-19-sms_usage_remains_strong_ in_the_us_6_billion_sms_messages_are_sent_each_day. Accessed January 15, 2014. 2. Fitch GA, Soccolich SA, Guo F, et al. The impact of hand-held and hands-free cell phone use on driving performance and safety-critical event risk (report no. DOT HS 811 757). Washington, DC: National Highway Traffic Safety Administration; 2013. 3. Drews FA, Yazdani H, Godfrey C, et al. Text messaging during simulated driving. Hum Factors. 2009;51:762-770.
97
4. Crash following loss of engine power due to fuel exhaustion, air methods corporation Eurocopter AS350 B2, N352LN. NTSB Number: AAR-13-02, NTIS Number: PB2013-104866, Adopted April 9, 2013. http://www.ntsb.gov/investigations/ summary/AAR1302.html Accessed January 15, 2014. 5. Pilot Taxiing at JFK Strikes Lights While on Cell Phone. http://www.nycaviation. com/2013/02/pilot-taxiing-aircraft-at-jfk-strikes-lights-while-on-cell-phone/#. Uu5CVz1dXar. Accessed January 15, 2014. 6. Jetstar pilots ‘forgot to lower wheels’ due to mobile phone. http://www.smh. com.au/travel/travel-incidents/jetstar-pilots-forgot-to-lower-wheels-due-to-mobilephone-20120419-1x9ed.html#ixzz2sAacW6k8. Accessed January 15, 2014. 7. 45 CFR Part 160 and Subparts A and C of Part 164. http://www.gpo.gov/fdsys/ pkg/CFR-2007-title45-vol1/content-detail.html. Accessed January 17, 2014. 8. Karasz HN, Eiden A, Bogan A. Text messaging to communicate with public health audiences: how the HIPAA Security Rule affects practice. Am J Public Health. 2013;103:617-622. 9. Record of Care, Treatment, and Services (CAMH / Hospitals). http://www. jointcommission.org/standards_information/jcfaqdetails.aspx?StandardsFAQId540 1&StandardsFAQChapterId579. Accessed January 31, 2014. 10. Apple iOS Security Guide. https://www.apple.com/iphone/business/docs/iOS_ Security_Oct12.pdf. Accessed January 31, 2014.
98
John R. Clark, JD, MBA, NREMT-P, FP-C, CCP-C, CFC, CMTE, is a member of the board of directors for the Board for Critical Care Transport Paramedic Certification (BCCTPC) and legal advisor and member of the board of directors for the International Association of Flight and Critical Care Paramedics (IAFCCP). He is the Program Manager for Critical Care Transport at St. Vincent Hospital in Indianapolis, IN. Editor’s Note: While the information in this article deals with legal issues, it does not constitute legal advice. If you have specific questions related to this topic, you are encouraged to consult an attorney who can investigate the particular circumstances of your individual situation. If you have an issue you would like to see addressed in a future issue of AMJ, please contact the author at [email protected] to suggest a topic. 1067-991X/$36.00 Copyright 2014 Air Medical Journal Associates http://dx.doi.org/10.1016/j.amj.2014.02.001
Air Medical Journal 33:3
John R. Clark, JD, MBA, NREMT-P, FP-C, CCP-C, CFC, CMTE
Hitech Novice Dear LM, My program uses smartphones for crew communication. Dispatch sends a text message via SMS at the start of a transport and then the phone is used for everything from voice calls for patient report and medical control to text messaging between crewmember about restocking or getting equipment from the aircraft or ambulance. Occasionally, the receiving physician will text a question or send an order about the patient to the crew’s phone. Usually this communication is on program supplied devices, but if you ask the right comm spec for a favor, I know that some team members have dispatch info sent to their personal phones as well. Is this kind of text messaging a HIPAA violation? I’m not going to lose my house over this. Signed, HITECH Novice (address withheld) According to a Forrester Research report,1 6 billion short message service (SMS) messages are sent every day in the United States, and over 2.2 trillion are sent a year. This number does not include text messages that are sent through other systems like iMessage, Kik, Snapchat, and so on. Of course, the majority of those are sent in a social context and do not include Health Insurance Portability and Accountability Act (HIPAA)-protected information; however, the texting culture and the supporting technology is a part of everyone’s day. The genesis for this article was a question about HIPAA compliance; however, a second issue that is beyond the privacy concerns of text messaging is that of crew safety. Clearly, instant access to information is a good thing in the fast-paced world of critical care transport; however, the distraction of having all of these data at our fingertips must be considered. A 2009 Virginia Tech study2 using real-time data collected from a video camera in over-the-road trucking found that a driver was 23 times more likely to be involved in a crash if texting. Another study from the University of Utah3 used data from college students texting while in a driving simulator and found that they were 8 times more likely to be involved in a crash. In each study, the average time the driver’s eyes were off the road was 5 seconds or enough time to travel the length of a football field at normal highway speeds. Recently, there has been an increased awareness about the risks of texting and driving, but the risk is not limited to the ground. In an August 2011 crash of an A-Star that killed 4 people, the National Transportation Safety Board also cited the distracting influence of 85 text messages the pilot exchanged with an off-duty coworker during the course of his work shift, some during critical preflight and flight operations.4 In 96
another incident in February 2013, a charter aircraft’s propeller hit ground lights at John F. Kennedy airport during taxi, damaging the aircraft (and the lights) and closing the taxiway for 2 hours. The pilot admitted that he had been distracted by his cell phone and had lost situational awareness.5 Similarly, the crew of an Airbus A320 forgot to lower the gear and had to abort a landing after the 13,0001-hour captain became distracted by incoming text messages on his mobile phone.6 The Australian Transport Safety Bureau report cited loss of “situational awareness,” leading to poor decision making and hampered communications. Although we need to be concerned about a HIPAA violation when an errant text about Uncle Bob’s cirrhosis creates a breach of patient privacy, it pales in comparison to the risk that text messaging poses to crew safety. The baseline is established with the HIPAA Security Rule, which establishes national standards designed to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information (PHI).7 A recently published report in the American Journal of Public Health8 looked at whether text messages containing PHI would be permissible under the HIPAA Security Rule. Although the HIPAA Security Rule has some flexibility to allow for technological advances, the rule in its current form creates uncertainty about how to make text messaging policy decisions. Text messages must comply with HIPAA, and it is the sender’s responsibility to ensure that they do. In order to meet the intent of the rule, you are faced with 3 options for text messaging: (1) do not use it at all, (2) restrict use so that no PHI is transmitted, or (3) implement a system that meets the guidelines. The HIPAA Security Rule applies to PHI that is transmitted by “electronic media” used to exchange data that already exist in electronic form. Unlike the transmission of PHI via radio, telephone, or facsimile, text messaging involves data that exist in electronic form before transmission and therefore could qualify as “electronic media” that is specifically protected under the Security Rule. Because there is an operational efficiency to including PHI in text messages, not using text messages does not make sense. Therefore, to be in compliance with the Security Rule, covered entities must conduct a risk analysis looking for potential vulnerabilities to the confidentiality of electronic PHI and then implement strategies to eliminate those vulnerabilities. As far as the medical control physician sending “orders” via text messaging, the Joint Commission addresses this in the standards by stating that “it is not acceptable for physicians or Air Medical Journal 33:3
licensed independent practitioners to text orders for patients to the hospital or other healthcare setting. This method provides no ability to verify the identity of the person sending the text and there is no way to keep the original message as validation of what is entered into the medical record.”9 With that guidance and the other concerns addressed later about the security of text messages, I cannot recommend texting physician orders. The primary risk in text messaging is that PHI will be exposed to someone who should not have it. Much of the risk is outside of the covered entity’s control once the text message has been sent. A transposition of a single digit can mean that the message never reaches the intended recipient, and even when it is received properly, there is no guarantee that the message will be safeguarded by the recipient. The easiest step is to ensure that all devices have a passcode lock. But, if all that is set is a passcode, the device is still unencrypted; the passcode merely locks the screen and does not do anything to secure the files stored on the device. Encrypting the device secures the files when the device is at rest. Because the technology exists, the strength of a good security system must focus on educating users to the risks of text messaging and enforce the use of common sense approaches to keeping data on devices secure such as not allowing global logins and passcodes and remind users not to share their passwords with anyone. A 1-time discussion is usually not adequate, and the best approach requires regular training and frequent reminders about the need to use good security practices. Remember a single accidental SMS containing PHI could result in fines up to $50,000, and repeated violations can lead to $1.5 million in fines in a single year, not to mention the damage done to an organization’s reputation. To meet the requirements of the Security Rule, you must ensure that every mobile device is configured and locked down appropriately. Set a passcode for the device, the longer and less obvious the better. Use available technology that is installed on the device itself or a third-party program like Kapersky (Woburn, MA) or AVG (San Francisco, CA) that encrypts all of the data on the device. One of the strongest automatic encryption systems is Apple’s own encryption on the iPhone/iPad. Apple uses the Advanced Encryption Standard algorithm (AES), a data-scrambling system published in 1998 and adopted as a US government standard in 2001.10 Cryptographers believe that a truly random 256-bit AES key is unbreakable, and the National Security Agency approved AES-256 for storing top secret data. Even though the technology is robust, it still requires the human component of the system to use the passcode. Another important point that your question raises is the use of personal devices versus program devices. Depending on how your dispatch paging system works and what information is contained in the text message, it should be directed only to devices that the program has control over. I would strongly discourage sending PHI to personal mobile devices. May–June 2014
In reality, there is never a guarantee that a message is secure. First, just human error alone will route a message intended for 1 person to accidentally end up going to another. Between the send and receiving, you cannot guarantee that the wireless provider is not reading and/or archiving the message, that a government is not intercepting them for antiterrorism purposes, or that a hacker isn’t intercepting them just for the challenge of doing so. And after a message is received, there is no guarantee that the message won’t be forwarded or archived for malicious purposes or that the device is lost and that alone creates a PHI breach. Unfortunately, there cannot be an expectation of privacy with any text message. This doesn’t completely eliminate all text messaging solutions. The Joint Commission established Administrative Simplification provisions for developing secure communication systems. Under the Administrative Simplification guidelines, the following 4 major areas are critical to compliance: 1. Secure data centers. HIPAA requires these centers to have a high level of physical security as well as policies for reviewing controls and conducting risk assessment on an ongoing basis. 2. Encryption of data both in transit and at rest. 3. Recipient authentication that allows the sender to know if, when, and to whom a message has been delivered. 4. Audit controls with the ability to create and record an audit trail of all activity that contains PHI that includes the ability to archive messages and information the messages, retrieve that information quickly, and monitor the system. To mitigate your risk when using text messages that contain HPI, first limit the number people authorized to use text messaging and provide frequent training. Use policies and procedures about PHI in general and make sure that concepts like the Minimum Necessary Rule are understood. On all devices, implement password protection and encryption and have policies regarding retired device sanitization, message retention schedules, and message format and style conventions. Use passwords that are 10 digits and not obvious, and certainly do not attach a label to the device with the password or even a reminder. Finally, document all phases of decision making regarding text messaging, including the decision to adopt alternative equivalent protections under the Security Rule. Text messaging is allowable but with the caveats that were addressed previously. The weak link in the chain is the people who are sending and receiving these messages, not the technology.
References 1. Forrester Research Mobile Media Application Spending Forecast, 2012 To 2017 (US). http://blogs.forrester.com/michael_ogrady/12-06-19-sms_usage_remains_strong_ in_the_us_6_billion_sms_messages_are_sent_each_day. Accessed January 15, 2014. 2. Fitch GA, Soccolich SA, Guo F, et al. The impact of hand-held and hands-free cell phone use on driving performance and safety-critical event risk (report no. DOT HS 811 757). Washington, DC: National Highway Traffic Safety Administration; 2013. 3. Drews FA, Yazdani H, Godfrey C, et al. Text messaging during simulated driving. Hum Factors. 2009;51:762-770.
97
4. Crash following loss of engine power due to fuel exhaustion, air methods corporation Eurocopter AS350 B2, N352LN. NTSB Number: AAR-13-02, NTIS Number: PB2013-104866, Adopted April 9, 2013. http://www.ntsb.gov/investigations/ summary/AAR1302.html Accessed January 15, 2014. 5. Pilot Taxiing at JFK Strikes Lights While on Cell Phone. http://www.nycaviation. com/2013/02/pilot-taxiing-aircraft-at-jfk-strikes-lights-while-on-cell-phone/#. Uu5CVz1dXar. Accessed January 15, 2014. 6. Jetstar pilots ‘forgot to lower wheels’ due to mobile phone. http://www.smh. com.au/travel/travel-incidents/jetstar-pilots-forgot-to-lower-wheels-due-to-mobilephone-20120419-1x9ed.html#ixzz2sAacW6k8. Accessed January 15, 2014. 7. 45 CFR Part 160 and Subparts A and C of Part 164. http://www.gpo.gov/fdsys/ pkg/CFR-2007-title45-vol1/content-detail.html. Accessed January 17, 2014. 8. Karasz HN, Eiden A, Bogan A. Text messaging to communicate with public health audiences: how the HIPAA Security Rule affects practice. Am J Public Health. 2013;103:617-622. 9. Record of Care, Treatment, and Services (CAMH / Hospitals). http://www. jointcommission.org/standards_information/jcfaqdetails.aspx?StandardsFAQId540 1&StandardsFAQChapterId579. Accessed January 31, 2014. 10. Apple iOS Security Guide. https://www.apple.com/iphone/business/docs/iOS_ Security_Oct12.pdf. Accessed January 31, 2014.
98
John R. Clark, JD, MBA, NREMT-P, FP-C, CCP-C, CFC, CMTE, is a member of the board of directors for the Board for Critical Care Transport Paramedic Certification (BCCTPC) and legal advisor and member of the board of directors for the International Association of Flight and Critical Care Paramedics (IAFCCP). He is the Program Manager for Critical Care Transport at St. Vincent Hospital in Indianapolis, IN. Editor’s Note: While the information in this article deals with legal issues, it does not constitute legal advice. If you have specific questions related to this topic, you are encouraged to consult an attorney who can investigate the particular circumstances of your individual situation. If you have an issue you would like to see addressed in a future issue of AMJ, please contact the author at [email protected] to suggest a topic. 1067-991X/$36.00 Copyright 2014 Air Medical Journal Associates http://dx.doi.org/10.1016/j.amj.2014.02.001
Air Medical Journal 33:3