4. Develop a "Statement of Understanding" for text-using patients
"This document should state that the patient has a choice about how they want to be communicated with," advises Sacopulos. "Text messaging is one option, but if the practice does not use a secure text messaging system, patients must understand the risks inherent in using unsecured messaging." These include: an inability to verify the recipient, no way to escalate an urgent message, and no secure archive for the messages, leaving open the potential for data breaches. Sacopulos recommends including a statement that lets patients know they can revoke the permission to text using an unsecured messaging system at any time. "Ask patients to review and re-sign the policy every 12 months."
5. Explore secure text messaging solutions
"The risk exposure for using unsecured text is low compared to the risk exposure of having unencrypted mobile devices," says Sacopulos, adding that he is not aware of large-scale breaches that involve texting. "But just because the risk is low doesn't mean practices shouldn't move toward secure text messaging solutions," Sacopulos advises. "As more and more practices communicate with patients digitally, secure communications of all kinds will become more common and necessary."
Unlike standard SMS, secure texting is encrypted and messages are sent across a secure network. Messages are typically stored in the cloud on a secure, encrypted server — not on individual mobile devices. Messages can then be printed, ported to an EHR, archived, and stored for security audit and medical record management purposes.
Unfortunately, there are very few secure texting systems that enable communication between practices and patients. Most have been built for hospitals and health plans to enable secure texting and messaging between physicians and healthcare professionals within an enterprise. Several such options are Patient Reach Mobile, PingMD, and TigerText.
If, after implementing these five mitigation strategies, your attorney is still squeamish, purchase a cyber insurance policy. Such policies have been around for about a decade, but aren't widely known about or purchased. "Cyber insurance is a cost effective way to protect yourself against expenses related to data and privacy breaches and crisis management," Sacopulos says, "including the costs of remediation, patient notification and credit-check protection, legal costs, and fines." Contact your local insurance broker for details.
Cheryl Toth, MBA, is a practice leadership & implementation coach with KarenZupko & Associates. Cheryl brings 20 years of consulting, training, technology product management, and marketing to her projects. She can be reached at [email protected]