By Bob Belfort, Manatt Phelps & Phillips, LLP.
We talked about things like minimizing security risks associated with loss or theft of, or improper access to, portable devices and ensuring transmission security of information between portable devices and other computer systems. These requirements generally stem from the HIPAA Security Rule, which requires covered entities to employ administrative, physical, and technical safeguards to protect the confidentiality and integrity of protected health information maintained or transmitted electronically.
To Encrypt or Not to Encrypt: Text Message Transmission Security
We had a very interesting discussion with one grantee about health care providers’ use of text messages to send reminders and alerts to patients participating in their project. It highlights the type of judgment calls that are often necessary when interpreting one’s responsibilities under HIPAA and state privacy laws.
Under the HIPAA Security Rule, a covered entity has discretion to adopt security measures within specified categories based on the entity’s size, complexity, capabilities and resources. In addition, while certain security measures are required, others are “addressable,” which means that a covered entity has the flexibility, through a formal security risk analysis, to assess whether the measure is “reasonable and appropriate” in its particular environment and, if not, to adopt an alternative reasonable and appropriate measure.
As many of you know, there are obstacles to encrypting text messages. Because the security measure that protected health information sent over an electronic communications network be encrypted is an “addressable” one under the HIPAA Security Rule, we engaged in a mini risk analysis during our call, weighing the risks of sending certain types of information through unencrypted text messages and considering how best to mitigate these risks. One mitigation strategy we discussed was limiting the nature of the information transmitted. We talked through the risks associated with texting “Don’t forget to take your medication today” as compared to “You forgot to take your Lipitor today,” and discussed a variety of other potential scenarios.
The bottom line is that there is simply no bright line to guide a grantee’s decision whether to encrypt or not to encrypt, and, if not to encrypt, what types of alternative measures to adopt to ensure the security of the information being sent via text. For example, while limiting text messages to “pointers” (e.g. “Check the Carrot.com for a note from your health coach.”) is probably the most conservative way to minimize the risk of unauthorized access to protected health information or other information sent via text, it may not be the most effective way to motivate patients to take control of their health.
This is one of the reasons we at Manatt and our partner Deven McGraw at the Center for Democracy and Technology are here: to talk these types of questions through with grantees and assist in finding solutions that minimize legal risks but also work in practice. We’ll be addressing these types of risks during standing monthly calls. We’re looking forward to some interesting conversations.