College Call Girls Vyasarpadi Whatsapp 7001305949 Independent Escort Service
Mosio White Paper: Simplifying HIPAA and SMS in Clinical Research
1. Simplifying HIPAA and SMS:
A Practical Approach to the Secure Use of Text Messaging in Clinical Research
2. Simplifying HIPAA and SMS: A Practical Approach to the Secure Use of Text Messaging in Clinical Research Page 2 of 9
Table of Contents
Abstract ..................................................................................................................................................................... 3
Introduction................................................................................................................................................................ 3
Definitions.................................................................................................................................................................. 3
HIPAA Defined .......................................................................................................................................................... 4
HIPAA Redefined ...................................................................................................................................................... 4
PHI and SMS: Evaluating Security Needs ................................................................................................................ 4
Solutions.................................................................................................................................................................... 5
Guidance................................................................................................................................................................... 6
Conclusion................................................................................................................................................................. 6
References................................................................................................................................................................ 6
Disclaimer.................................................................................................................................................................. 6
Appendix A: Guidance and Advice for Effective, Compliant Studies Using SMS...................................................... 7
Risk vs. Reward: Why Gray Should Be Your New Best Friend.................................................................... 7
The Consent Agreement: Protection for All Parties...................................................................................... 7
Good Questions Get Good Answers............................................................................................................ 8
Advice for Participants.................................................................................................................................. 9
The Last Word.............................................................................................................................................. 9
Questions? ................................................................................................................................................... 9
3. Simplifying HIPAA and SMS: A Practical Approach to the Secure Use of Text Messaging in Clinical Research Page 3 of 9
Abstract
As the use of personal mobile devices became ubiquitous, the manner in which healthcare studies and clinical
trials are performed expanded into the world of modern technology. With this evolution came the need to establish
methods to protect the data, and to protect the rights of individuals providing personal health information. This
paper focuses on the rapidly growing need to understand and practice the security issues associated with using
Short Message Service (SMS) texts for transmitting Protected Health Information (PHI) in order to ensure the best
possible compliance with The Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Introduction
In response to recent requests and questions, we researched ways to provide education for HIPAA compliance
and to improve the ways that mobile text messaging services can be customized to provide clients with the best
methods for ensuring secure PHI data. This paper provides background information and definitions for a basic
understanding of HIPAA and PHI, how these regulations are translated into the real world, detailed information of
our contributions to compliance and security, and guidance for clients' use.
Definitions
Term Definition
HIPAA Health Insurance Portability and Accountability Act - enacted in 1996 by the United States
Congress to ensure health insurance coverage for workers and to establish standards
regarding electronic healthcare data.
• The HIPAA Privacy Rule protects the privacy of individually identifiable health information
(See PHI.).
• The HIPAA Security Rule sets national standards for the security of electronic protected
health information.
• The HIPAA Breach Notification Rule requires covered entities and business associates to
provide notification following a breach of unsecured protected health information.
• The HIPAA Patient Safety Rule protects identifiable information being used to analyze
patient safety events and improve patient safety.
For more information, see http://www.hhs.gov/ocr/privacy/
PHI Protected Health Information - Individually identifiable health information, including
demographic data, that relates to:
• The individual’s past, present, or future physical or mental health or condition,
• The provision of health care to the individual, or
• The past, present, or future payment for the provision of health care to the individual, and
• Identifies the individual or for which there is a reasonable basis to believe it can be used
to identify the individual.
For more information, see
http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html
SMS Short Message Service - a text messaging service component of phone, Web, or mobile
communication systems that uses standardized communications protocols to allow fixed line
or mobile phone devices to exchange short text messages.
Study
Administrator
A company, group, or entity that defines and manages a study, experiment, or data-gathering
endeavor directly or indirectly related to the healthcare industries. In this white paper, the
Study Administrator is typically the client.
Study
Participant
An individual who voluntarily participates as a data provider for a study, experiment, or data
gathering endeavor of the Study Administrator. Also known as a patient or end user.
4. Simplifying HIPAA and SMS: A Practical Approach to the Secure Use of Text Messaging in Clinical Research Page 4 of 9
HIPAA Defined
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted in part to protect the
security and privacy of protected health information (PHI). Covered entities (e.g., health care providers engaged
in certain electronic transactions, health plans, and health care clearinghouses) that create, maintain, transmit,
use, and disclose an individual’s PHI are required to meet HIPAA requirements.
HIPAA’s Privacy Rule restricts uses and disclosures of PHI, creates individual rights with respect to their PHI, and
mandates administrative requirements. Among other requirements, the privacy rule requires a covered entity to
reasonably safeguard PHI from any intentional or unintentional use or disclosure that is in violation of the
requirements of HIPAA.
HIPAA’s Security Rule requires covered entities to ensure the confidentiality, integrity, and availability of its
electronic PHI, to protect against reasonably anticipated threats or hazards to the security or integrity of its
electronic PHI, to protect against reasonably anticipated impermissible uses and disclosure of its electronic PHI,
and to ensure compliance by their workforce. Additionally, the Security Rule requires covered entities to put in
place detailed administrative, physical, and technical safeguards to protect electronic PHI. To do this, covered
entities are required to implement access controls and set up backup and audit controls for electronic PHI in a
manner commensurate with the associated risk.
Additional HIPAA requirements include the need for a covered entity to provide notification following a breach of
unsecured protected health information.
HIPAA Redefined
A common misconception about HIPAA requirements is that they define the specifics of what can and cannot be
done. In reality, the intent of HIPAA is not to dictate individual do's and don'ts, but rather to provide guidance
toward achieving a reasonable amount of control with regards to the management and security of PHI. As stated
by KattenMuchinRosenman LLP and PerfectServe, Inc. in their white paper "Clarifying the Confusion about
HIPAA-Compliant Texting:"
"The HIPAA Security Rule is 'technology neutral.' Furthermore, compliance with the HIPAA
Security Rule is not an attribute of a particular application or device, but rather of a system of
physical, administrative, and technology safeguards that support the HIPAA-‐compliant use of
electronic communication. Thus, there is no such thing as a 'HIPAA-‐compliant' application or
device."
Once HIPAA is understood as a guide toward compliant behaviors rather than a set of restrictions, researchers
and health care providers can fully embrace the use of technologies with greater confidence.
PHI and SMS: Evaluating Security Needs
PHI, or individually identifiable health information, covers a broad spectrum of personal and demographic data.
The protection and security of this data is at the heart of HIPAA's intent to ensure the individual's right to privacy.
The use of SMS - or text messaging - to transmit this data is extremely useful and offers huge potential in
research for recruiting and retaining patients as well as gathering important medical data.
When considering the use of SMS for endeavors involving the exchange of PHI, security risks must be identified
and evaluated. The intent of the assessment is to not only identify potential problems or weaknesses, but to
establish the best possible approach to adhering to the HIPAA security standards. This risk assessment should:
• Identify all PHI that will be created, received, maintained, or transmitted.
• Identify all third parties and vendors who might also create, receive, maintain, or transmit the PHI.
• Identify potential human, natural, and environmental threats to the information systems that transmit or
store the PHI.
• Evaluate threats and vulnerabilities by assigning levels of risk, likelihood, and impact.
• Assess current security measures and investigate new security options.
• Establish and implement mitigations and corrective actions where possible.
5. Simplifying HIPAA and SMS: A Practical Approach to the Secure Use of Text Messaging in Clinical Research Page 5 of 9
Some of the more common risks to PHI when using SMS are:
• Loss of a personal mobile phone or device containing PHI texts.
• A breach or loss of PHI data from servers or databases in which the PHI is stored.
• Interception of PHI while in transit.
Fortunately, the likelihood of the occurrence of these risk scenarios can be greatly reduced by documented,
enforced security policies and procedures, de-identification of PHI identifiers, and education and training
regarding PHI and good security practices.
Solutions
Physical and logical security measures, including restricted access to data centers, servers, databases, and
applications that contain PHI, are essential for HIPAA compliance practices. A good Quality Program includes
thorough, detailed policies and procedures regarding the security of all aspects of software development, data
management, change management, backup and restoration, and vendor management.
In addition to core security, another safeguard of PHI is de-identification. This is an action or method that
separates the individual (and associated individuals such as family members, employers, etc.) from unique
identifiers such as:
• Names
• All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code,
and their equivalent geocodes
• All elements of dates (except year) for dates directly related to an individual, including birth date,
admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including
year) indicative of such age, except that such ages and elements may be aggregated into a single
category of age 90 or older
• Telephone numbers
• Fax numbers
• Electronic mail addresses
• Social security numbers
• Medical record numbers
• Health plan beneficiary numbers
• Account numbers
• Certificate/license numbers
• Vehicle identifiers and serial numbers, including license plate numbers
• Device identifiers and serial numbers
• Web Universal Resource Locators (URLs)
• Internet Protocol (IP) address numbers
• Biometric identifiers, including finger and voice prints
• Full face photographic images and any comparable images
• Any other unique identifying number, characteristic, or code
• Note: The identifiers listed above are only one aspect of PHI. PHI encompasses an individual's past,
present, and future state of health, including information about health care providers. Refer to the
Definitions section.
6. Simplifying HIPAA and SMS: A Practical Approach to the Secure Use of Text Messaging in Clinical Research Page 6 of 9
While complete de-identification is not always possible, identifying and reducing instances where it is stored and
how it is shared is the best practice. For example, mobile messaging software may need to maintain a mobile
number as a method of linking inbound and outbound messages to mobile phones, but the mobile number and
specific data types can be encrypted within the system itself, so in the event of a breach, only the message data
is visible and is not directly associated with a mobile number. Furthermore, the mobile messaging software should
assign a Patient ID to each user/patient as a reference point instead of mobile numbers, thereby associating data
with a Patient ID in the software and also in data export functions.
Another crucial aspect of security involves training and education. All persons who view, use, interpret, transmit,
store, or manage PHI in any way must be properly trained on HIPAA standards and applicable security policies
and procedures. Additionally, the proper care and processes need to be in place to ensure research staff and
participants are both educated and informed about their own obligations to maintain privacy and data security.
Participants can - and should - actively contribute to the safety of their own PHI.
Guidance
We believe that shared knowledge benefits all. Refer to Appendix A: Guidance and Advice for Effective,
Compliant Studies Using SMS for valuable tips for:
• Creating a mutually beneficial consent agreement.
• Crafting PHI-friendly text messages, whether they are alerts, reminders, or survey questions.
• Advising participants to safeguard their own PHI.
Conclusion
Effective management of risks via education and established security practices is the key to HIPAA compliance
when using SMS. With the understanding that no application or device is truly HIPAA compliant, implementing
and practicing proper procedures and education with staff, patients, and caregivers provides researchers with the
ability to utilize cost-effective research technologies like SMS text messaging to achieve protocol requirements.
For further guidance and tips on understanding and implementing good standards and practices regarding the
use of SMS for the transmission of PHI, please see Appendix A: Guidance and Advice for Effective, Compliant
Studies Using SMS.
References
HIPAA - http://www.hhs.gov/ocr/privacy/
KattenMuchinRosenman LLP and PerfectServe, Inc. - Clarifying the Confusion about HIPAA-Compliant Texting -
https://www.perfectserve.com/hospital/docs/PerfectServe-Clarifying-Confusion-About-HIPAA-Compliant-
Electronic-Communication.pdf
Amazon Web Services - Creating Healthcare Data Applications to Promote HIPAA and HITECH Compliance -
http://d0.awsstatic.com/whitepapers/compliance/AWS_Risk_and_Compliance_Whitepaper.pdf
UC Davis Health System - http://www.ucdmc.ucdavis.edu/compliance/guidance/privacy/deident.html
Qualtrics - The 10 Commandments for Writing Outstanding Survey Questions -
http://www.qualtrics.com/blog/good-survey-questions/
The Purdue OWL - http://owl.english.purdue.edu
Disclaimer
This white paper is not intended to constitute legal advice. Clients are advised to seek the advice of legal counsel
regarding compliance with HIPAA and other regulations that may be applicable to their business. Mosio and its
affiliated entities make no representations or warranties that the client's use of Mosio services will assure full
compliance with applicable laws.
7. Simplifying HIPAA and SMS: A Practical Approach to the Secure Use of Text Messaging in Clinical Research Page 7 of 9
Appendix A: Guidance and Advice for Effective, Compliant Studies Using SMS
This appendix to the paper "Simplifying HIPAA and SMS: A Practical Approach to the Secure Use of Text
Messaging in Clinical Research" is intended to assist our current and future clients with understanding and
implementing good standards and practices regarding the use of SMS (Short Message Service) for the
transmission of PHI (Protected Health Information).
Risk vs. Reward: Why Gray Should Be Your New Best Friend
Like most of life's endeavors, there are no guarantees that nothing will ever go wrong when using technology to
perform a function. When considering the use of SMS or any technology to transmit privacy data as part of a
study or trial, it is vital to understand that some risks exist. For example, computers and mobile devices can be
lost, stolen, or even hacked. It is impossible to fully protect against all possible mishaps, but safeguards can be
put in place to reduce the risks.
HIPAA privacy and security requirements for PHI are printed in black and white, but the reality of compliance lies
in the myriad of shades of gray. The wise approach is to understand and acknowledge the risks specific to the
research project at hand, provide the best mitigations possible, and work with service providers who do the same.
When choosing a text messaging vendor or technology partner, additional consideration should be given to the
company's experience, knowledge, technological features, and internal processes for managing PHI so that you
benefit from a customized study solution that will generate the most reliable data with as little risk as possible.
Essential components of minimizing risk include open communication, understanding, and education. When all
parties understand and agree upon the nature of the tasks to be performed, the associated risks dwindle
significantly. The following sections contain practical advice for achieving this goal.
The Consent Agreement: Protection for All Parties
A thorough consent agreement between the Study Administrator and the Study Participant is essential in order to
protect the rights of all involved. The consent agreement should address the following, at a minimum:
• Description of the nature of the data the Study Participant will provide. Each participant should fully
understand what information he/she will be submitting. Ideally, this should be customized for the study
and should include as much detail as possible, e.g., daily blood pressure, weight, or timing and dosage of
medications. Note: HIPAA does not dictate what a Study Administrator can and cannot ask. The nature of
the questions is an agreement between the Study Administrator and the Study Participant.
• Description of how this information will be obtained. Each participant should fully understand how
he/she will submit the data. For example, the consent agreement should clearly state that Mosio will
facilitate the questions and answers via text messages sent to and from the participant's personal mobile
device. Data provided by the participant as part of the initial recruiting, setup process, and completion
process should also be addressed.
• Description of how this data will be used. Each participant must be informed of all potential usage of
his/her PHI, including the sharing of data with third parties. This could be a reference to existing privacy
data policies. Each participant must consent to all data usage and sharing.
• Description of how this data will be securely managed. This is the most crucial element. For the sake
of all parties, all privacy data obtained by the Study Administrator for any purpose must be managed in
such a manner that ensures the best possible security. This could reference existing policies, procedures,
and privacy data policies. If applicable, this should also address third party providers' responsibilities
regarding data security.
• Disclosures of risks and vulnerabilities. Participants must be notified of identified potential risks, such
as the risks involved with the use of unencrypted texts.
8. Simplifying HIPAA and SMS: A Practical Approach to the Secure Use of Text Messaging in Clinical Research Page 8 of 9
• A clear definition of the boundaries between the Study Administrator and the Study Participant
responsibilities. This should include disclaimers that the Study Administrator is not responsible for any
loss or breach of data that results from something beyond their control, e.g., the participant loses his/her
personal mobile device containing text messages with his/her PHI, or a third party vendor or host
experiences a server/data breach.
• Acknowledgement of Rights and Receipt of Instructions. Participants should be advised of their
rights. This may be documented separately. Additionally, participants should be offered instructions
and/or tips for ways to safeguard their own PHI data. Refer to the Advice to Participants section below for
examples. Participants should formally acknowledge the receipt and understanding of both their rights
and the instructions provided.
• Process for notifying the participant in case of an actual or potential security breach. This is
essential for HIPAA compliance. The process should include communication steps, follow-up activities,
and responsibilities of third parties. This may be defined or referred to in a separate privacy data policy.
The final draft of the consent agreement should be reviewed and approved by compliance and legal advisors prior
to use.
Good Questions Get Good Answers
Concise, efficient, well-crafted survey questions can help enforce security consistent with HIPAA requirements
and can also eliminate some risks when using SMS to transmit PHI.
Some tips include:
• Keep questions as short and concise as possible. Longer questions may increase confusion and lead the
participant to craft a longer-than-necessary reply, which could contain unnecessary PHI. A brief answer of
"yes," "no," or "2," is meaningless when taken out of context, yet can still provide all the data needed for
the study. As an added bonus, participants are more likely to respond more quickly and accurately when
allowed the opportunity for a short answer.
• Build questions that are clearly understood. Avoid vague, loaded, or leading words, such as "could,"
"might," "often," or "never." "Do you drink milk regularly?" is both vague and potentially confusing. Better
data would result from a question like "How many 8oz. glasses of milk did you consume today?" Getting
precise data the first time will eliminate the need to ask more detailed follow-up questions later.
• Ask individual questions. Do not combine questions. "Did you do your assigned exercises and take your
pill today?" should be separated into two distinct questions.
• Use commonly understood words. Avoid jargon or highly technical terms that the participant might not
understand. This could also lead to the unnecessary PHI or the sharing of personal data not agreed upon
in the consent agreement.
• Remind the participant of privacy measures. For example, the following text could be sent periodically, or
after every survey question: "We vow to protect the information you provide. For extra safety and privacy,
please delete the survey question and your response after sending. Thank you for your participation and
your trust."
9. Simplifying HIPAA and SMS: A Practical Approach to the Secure Use of Text Messaging in Clinical Research Page 9 of 9
Advice for Participants
While the Study Administrator is ultimately responsible for securing PHI as much as possible, the Study
Participant should be aware of his/her own responsibilities for securing his/her own data where possible.
Participants using their own mobile devices should be educated to:
• Think carefully when composing answers to questions. Do not provide any personal information that is
not asked for.
• When sending text responses, double-check to ensure that the reply is being sent only to the proper
persons/entities.
• Delete incoming and/or outgoing text messages containing PHI after sending a response to a prompt or
question.
• Keep the mobile device password-protected and/or locked to prevent others from accessing text message
history.
• Make an effort to minimize the chances that the mobile device will be lost or stolen, e.g., lock the device
in a drawer when going to a meeting rather than leaving the phone out on the desk.
• When syncing the mobile device with another device or computer for any sort of data transfer, take
special care to ensure that texts containing PHI are not transferred.
• Do not post or copy any texts or parts of texts containing PHI on any social media site.
• Contact the Study Administrator in the event of a potential data breach, the loss of the mobile device, or
suspicious texts claiming to be a part of the study.
Some or all of the items listed above may be included or referenced in the consent agreement. At the least, the
consent agreement should include an acknowledgment that the participant received and understood the
instructions.
The Last Word
Careful planning, communication, and education go a long way toward HIPAA-compliant use of SMS. When
combined with our Quality Program and stringent security measures, data is as safe as it can possibly be.
Questions?
Existing Mosio clients, please contact support@mosio.com with any questions or concerns.
If you are looking to utilize the power of text messaging in your next research study, please visit us at
http://www.mosio.com.