Is texting of pictures HIPAA compliant?
-
@scottalanmiller said in Is texting of pictures HIPAA compliant?:
@Grey said in Is texting of pictures HIPAA compliant?:
Part of the rules there allow a business to make decisions which may be insecure in order to allow business to continue, but those processes must be fixed once identified.
Hence no teeth. Claim any level of incompetence or convenience and bypass any rule.
This is why HIPAA is a removal of security, not an addition of it. Without HIPAA guidelines, companies aren't allowed to prioritize business over patient data. HIPAA is meant to protect the exposure of data, not prevent it. It makes it harder to sue civily over a blatant exposure of data.
-
Have the users install Signal.
https://www.signal.org/ -
@Pete-S said in Is texting of pictures HIPAA compliant?:
Have the users install Signal.
https://www.signal.org/Installing an app seems like way, way more work than just sending a picture via email. If the easiest thing is too hard, something harder is impossible.
-
@scottalanmiller Scott, I know it doesn't seem like a big difference ease of use re:email/texting, but to some of the people we serve, it really is. They may not even have an email address to start with and walking them through how to sign up for one, attach files, etc is a lot harder for them than just going to their text messages and putting in a phone number. I feel the same way, but it is a reality of the population we serve.
We do have a 3rd party email filtering service that allows us to send encrypted emails (Zix) and my thinking was that probably our process should be that we send the client an email through that and then they can upload their documents and send it back to us through Zix. This requires the client to have an email though and for them to register for Zix when they first click the link we send them. Again, this doesn't sound like a lot, but given the population we serve, it can literally take an hour to walk someone through how to do this if they get it done at all.
Texting photos of their stuff really is the easiest option for them, but I didn't think this was secure enough and was looking to see if I was correct. I tend to err on the side of being super secure if possible, but I don't want to put false limitations on us if they are not needed and interfere with helping people.
-
@scottalanmiller Yup exactly. Trying to get the client to install a separate app on their phone would be quite the challenge haha.
-
@beta said in Is texting of pictures HIPAA compliant?:
@scottalanmiller Yup exactly. Trying to get the client to install a separate app on their phone would be quite the challenge haha.
I figure neither of you have used the Signal app and don't know anything about it. Your loss.
-
@scottalanmiller said in Is texting of pictures HIPAA compliant?:
@Grey said in Is texting of pictures HIPAA compliant?:
Part of the rules there allow a business to make decisions which may be insecure in order to allow business to continue, but those processes must be fixed once identified.
Hence no teeth. Claim any level of incompetence or convenience and bypass any rule.
Bypassing the rules intentionally can still get you fined. Incompetence, as a defense, can only go so far. For example, systems that were implemented in 2000 would not have been secure, but by today's standards are laughable. A new system, like texting or photo submission, would violate the "data in transit" rule and this is literally your entire argument. You're so hung up on that that all I have to do is say "fax machine" to make you blow a gasket. The truth here is that businesses must accept data that's going to be insecure by nature, such as a fax, and are considered accepted practice. The only requirement from HIPAA is that the intended destination has a BA in place to accept PII.
The 'data in transit' rule here would apply within the organization. If you have an opportunity to transmit securely to a BA partner, you should use something like SFTP. HIPAA doesn't have a rule for receiving from a patient since they don't have the resources to transmit securely, though the spirit of the document would suggest that every attempt is made.
-
@Grey said in Is texting of pictures HIPAA compliant?:
You're so hung up on that that all I have to do is say "fax machine" to make you blow a gasket.
This is the example I use all the time. Data in transit is supposed to be protected. Using fax or texting isn't just breaking the rules, it's flaunting that HIPAA can't do anything, ever, in the most dramatic, obvious, known to everyone way. To a point where a patient knowing it was allowed could still sue even without a HIPAA breach and the only defense would be "But HIPAA is so useless, we thought it protected us."
-
@Grey said in Is texting of pictures HIPAA compliant?:
HIPAA doesn't have a rule for receiving from a patient since they don't have the resources to transmit securely, though the spirit of the document would suggest that every attempt is made.
That's true, as long as the patient initiates it entirely voluntarily.
-
@Grey said in Is texting of pictures HIPAA compliant?:
The truth here is that businesses must accept data that's going to be insecure by nature, such as a fax, and are considered accepted practice.
"Accepted" solely because HIPAA allows it, not because the industry allows it. From an IT perspective, any data sent over fax is a breach. Only HIPAA makes us not consider it a breach.
-
@scottalanmiller said in Is texting of pictures HIPAA compliant?:
@Grey said in Is texting of pictures HIPAA compliant?:
Part of the rules there allow a business to make decisions which may be insecure in order to allow business to continue, but those processes must be fixed once identified.
Hence no teeth. Claim any level of incompetence or convenience and bypass any rule.
Yes, I'm sure every doc's office enjoys having a HIPAA audit. No doubt that the rehab facility for Scott Disick is throwing a party over their current violation.
I've gone through these audits, and assisted the government agent in gathering requested data. There are tools to scan and identify problems. The HHS has plenty of teeth.
-
@scottalanmiller said in Is texting of pictures HIPAA compliant?:
@scottalanmiller said in Is texting of pictures HIPAA compliant?:
@Grey said in Is texting of pictures HIPAA compliant?:
Part of the rules there allow a business to make decisions which may be insecure in order to allow business to continue, but those processes must be fixed once identified.
Hence no teeth. Claim any level of incompetence or convenience and bypass any rule.
This is why HIPAA is a removal of security, not an addition of it. Without HIPAA guidelines, companies aren't allowed to prioritize business over patient data. HIPAA is meant to protect the exposure of data, not prevent it. It makes it harder to sue civily over a blatant exposure of data.
Did you just...? You replied to yourself? I mean... Self-agreement is great but don't argue with the wrong self. Or something.
-
-
@scottalanmiller said in Is texting of pictures HIPAA compliant?:
@Grey said in Is texting of pictures HIPAA compliant?:
You're so hung up on that that all I have to do is say "fax machine" to make you blow a gasket.
This is the example I use all the time. Data in transit is supposed to be protected. Using fax or texting isn't just breaking the rules, it's flaunting that HIPAA can't do anything, ever, in the most dramatic, obvious, known to everyone way. To a point where a patient knowing it was allowed could still sue even without a HIPAA breach and the only defense would be "But HIPAA is so useless, we thought it protected us."
"fax machine!!!"
-
@Grey said in Is texting of pictures HIPAA compliant?:
The HHS has plenty of teeth.
They really don't. They do these audits but EVERY doctor brags and flaunts their violations and not caring because HIPAA can't or doesn't touch them. It's a big joke. Yeah, once in a while you can find an example of someone so bad that they got caught. But for every story of things happening like they should, there is a hundred stories of people laughing at HIPAA for being useless and keeping them from having to meet minimum professional standards that they would otherwise be accountable to.
-
@Grey said in Is texting of pictures HIPAA compliant?:
@beta https://www.wrcbtv.com/story/41974356/hipaa-and-texting-is-sending-a-message-compliant
Thanks. So I think basically you and Scott are in agreement with MY particular situation, no? This would not be advisable and I should look for another way to have the documents sent to us. Or at the very least, it looks like we can inform the client that texting is not a secure form of communication, but if they want to do it they can? I have a feeling a lot of clients honestly wouldn't mind.
-
@Grey said in Is texting of pictures HIPAA compliant?:
@beta https://www.wrcbtv.com/story/41974356/hipaa-and-texting-is-sending-a-message-compliant
I like how they say "there are ways to make texting compliant" and instantly follow with the only obvious answers which are to stop texting and do something else.
-
@beta said in Is texting of pictures HIPAA compliant?:
@Grey said in Is texting of pictures HIPAA compliant?:
@beta https://www.wrcbtv.com/story/41974356/hipaa-and-texting-is-sending-a-message-compliant
Thanks. So I think basically you and Scott are in agreement with MY particular situation, no? This would not be advisable and I should look for another way to have the documents sent to us. Or at the very least, it looks like we can inform the client that texting is not a secure form of communication, but if they want to do it they can? I have a feeling a lot of clients honestly wouldn't mind.
Not advisable, but as long as the patient is aware and initiates it, should be okay.
-
While texting may pass a compliance check, we know it's not secure and can result in identity theft very easily even if not intercepted. It's going to sit on their phone probably indefinitely after they download it. Texting images doesnt always work. Many times I have had issues downloading images from texts.
Encrypted email or providing web portal access is the way to go. Anyone with a smart phone has an email address, and for the few people that have flip phones or rotary dial phones they will likely need an email address to track their own government benefits and login to government portals.
-
When I worked in Connecticut, employees at GE headquarters had their cell phones all hijacked by another company sharing their building and all of their texts (ALL of them) were captured and stored by another company (with conflicts of interest as well.) Any text sent to someone there was guaranteed to be not just intercepted, but stored. And they had no way to know because of the complete lack of security in texting.