Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Mosio White Paper: Simplifying HIPAA and SMS in Clinical Research

482 views

Published on

Simplifying HIPAA and SMS: A Practical Approach to the Secure Use of Text Messaging in Clinical Research

Published in: Health & Medicine
  • Be the first to comment

  • Be the first to like this

Mosio White Paper: Simplifying HIPAA and SMS in Clinical Research

  1. 1. Simplifying HIPAA and SMS: A Practical Approach to the Secure Use of Text Messaging in Clinical Research
  2. 2. Simplifying HIPAA and SMS: A Practical Approach to the Secure Use of Text Messaging in Clinical Research Page 2 of 9 Table of Contents Abstract ..................................................................................................................................................................... 3   Introduction................................................................................................................................................................ 3   Definitions.................................................................................................................................................................. 3   HIPAA Defined .......................................................................................................................................................... 4   HIPAA Redefined ...................................................................................................................................................... 4   PHI and SMS: Evaluating Security Needs ................................................................................................................ 4   Solutions.................................................................................................................................................................... 5   Guidance................................................................................................................................................................... 6   Conclusion................................................................................................................................................................. 6   References................................................................................................................................................................ 6   Disclaimer.................................................................................................................................................................. 6   Appendix A: Guidance and Advice for Effective, Compliant Studies Using SMS...................................................... 7   Risk vs. Reward: Why Gray Should Be Your New Best Friend.................................................................... 7   The Consent Agreement: Protection for All Parties...................................................................................... 7   Good Questions Get Good Answers............................................................................................................ 8   Advice for Participants.................................................................................................................................. 9   The Last Word.............................................................................................................................................. 9   Questions? ................................................................................................................................................... 9  
  3. 3. Simplifying HIPAA and SMS: A Practical Approach to the Secure Use of Text Messaging in Clinical Research Page 3 of 9 Abstract As the use of personal mobile devices became ubiquitous, the manner in which healthcare studies and clinical trials are performed expanded into the world of modern technology. With this evolution came the need to establish methods to protect the data, and to protect the rights of individuals providing personal health information. This paper focuses on the rapidly growing need to understand and practice the security issues associated with using Short Message Service (SMS) texts for transmitting Protected Health Information (PHI) in order to ensure the best possible compliance with The Health Insurance Portability and Accountability Act of 1996 (HIPAA). Introduction In response to recent requests and questions, we researched ways to provide education for HIPAA compliance and to improve the ways that mobile text messaging services can be customized to provide clients with the best methods for ensuring secure PHI data. This paper provides background information and definitions for a basic understanding of HIPAA and PHI, how these regulations are translated into the real world, detailed information of our contributions to compliance and security, and guidance for clients' use. Definitions Term Definition HIPAA Health Insurance Portability and Accountability Act - enacted in 1996 by the United States Congress to ensure health insurance coverage for workers and to establish standards regarding electronic healthcare data. • The HIPAA Privacy Rule protects the privacy of individually identifiable health information (See PHI.). • The HIPAA Security Rule sets national standards for the security of electronic protected health information. • The HIPAA Breach Notification Rule requires covered entities and business associates to provide notification following a breach of unsecured protected health information. • The HIPAA Patient Safety Rule protects identifiable information being used to analyze patient safety events and improve patient safety. For more information, see http://www.hhs.gov/ocr/privacy/ PHI Protected Health Information - Individually identifiable health information, including demographic data, that relates to: • The individual’s past, present, or future physical or mental health or condition, • The provision of health care to the individual, or • The past, present, or future payment for the provision of health care to the individual, and • Identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. For more information, see http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html SMS Short Message Service - a text messaging service component of phone, Web, or mobile communication systems that uses standardized communications protocols to allow fixed line or mobile phone devices to exchange short text messages. Study Administrator A company, group, or entity that defines and manages a study, experiment, or data-gathering endeavor directly or indirectly related to the healthcare industries. In this white paper, the Study Administrator is typically the client. Study Participant An individual who voluntarily participates as a data provider for a study, experiment, or data gathering endeavor of the Study Administrator. Also known as a patient or end user.
  4. 4. Simplifying HIPAA and SMS: A Practical Approach to the Secure Use of Text Messaging in Clinical Research Page 4 of 9 HIPAA Defined The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted in part to protect the security and privacy of protected health information (PHI). Covered entities (e.g., health care providers engaged in certain electronic transactions, health plans, and health care clearinghouses) that create, maintain, transmit, use, and disclose an individual’s PHI are required to meet HIPAA requirements. HIPAA’s Privacy Rule restricts uses and disclosures of PHI, creates individual rights with respect to their PHI, and mandates administrative requirements. Among other requirements, the privacy rule requires a covered entity to reasonably safeguard PHI from any intentional or unintentional use or disclosure that is in violation of the requirements of HIPAA. HIPAA’s Security Rule requires covered entities to ensure the confidentiality, integrity, and availability of its electronic PHI, to protect against reasonably anticipated threats or hazards to the security or integrity of its electronic PHI, to protect against reasonably anticipated impermissible uses and disclosure of its electronic PHI, and to ensure compliance by their workforce. Additionally, the Security Rule requires covered entities to put in place detailed administrative, physical, and technical safeguards to protect electronic PHI. To do this, covered entities are required to implement access controls and set up backup and audit controls for electronic PHI in a manner commensurate with the associated risk. Additional HIPAA requirements include the need for a covered entity to provide notification following a breach of unsecured protected health information. HIPAA Redefined A common misconception about HIPAA requirements is that they define the specifics of what can and cannot be done. In reality, the intent of HIPAA is not to dictate individual do's and don'ts, but rather to provide guidance toward achieving a reasonable amount of control with regards to the management and security of PHI. As stated by KattenMuchinRosenman LLP and PerfectServe, Inc. in their white paper "Clarifying the Confusion about HIPAA-Compliant Texting:" "The HIPAA Security Rule is 'technology neutral.' Furthermore, compliance with the HIPAA Security Rule is not an attribute of a particular application or device, but rather of a system of physical, administrative, and technology safeguards that support the HIPAA-­‐compliant use of electronic communication. Thus, there is no such thing as a 'HIPAA-­‐compliant' application or device." Once HIPAA is understood as a guide toward compliant behaviors rather than a set of restrictions, researchers and health care providers can fully embrace the use of technologies with greater confidence. PHI and SMS: Evaluating Security Needs PHI, or individually identifiable health information, covers a broad spectrum of personal and demographic data. The protection and security of this data is at the heart of HIPAA's intent to ensure the individual's right to privacy. The use of SMS - or text messaging - to transmit this data is extremely useful and offers huge potential in research for recruiting and retaining patients as well as gathering important medical data. When considering the use of SMS for endeavors involving the exchange of PHI, security risks must be identified and evaluated. The intent of the assessment is to not only identify potential problems or weaknesses, but to establish the best possible approach to adhering to the HIPAA security standards. This risk assessment should: • Identify all PHI that will be created, received, maintained, or transmitted. • Identify all third parties and vendors who might also create, receive, maintain, or transmit the PHI. • Identify potential human, natural, and environmental threats to the information systems that transmit or store the PHI. • Evaluate threats and vulnerabilities by assigning levels of risk, likelihood, and impact. • Assess current security measures and investigate new security options. • Establish and implement mitigations and corrective actions where possible.
  5. 5. Simplifying HIPAA and SMS: A Practical Approach to the Secure Use of Text Messaging in Clinical Research Page 5 of 9 Some of the more common risks to PHI when using SMS are: • Loss of a personal mobile phone or device containing PHI texts. • A breach or loss of PHI data from servers or databases in which the PHI is stored. • Interception of PHI while in transit. Fortunately, the likelihood of the occurrence of these risk scenarios can be greatly reduced by documented, enforced security policies and procedures, de-identification of PHI identifiers, and education and training regarding PHI and good security practices. Solutions Physical and logical security measures, including restricted access to data centers, servers, databases, and applications that contain PHI, are essential for HIPAA compliance practices. A good Quality Program includes thorough, detailed policies and procedures regarding the security of all aspects of software development, data management, change management, backup and restoration, and vendor management. In addition to core security, another safeguard of PHI is de-identification. This is an action or method that separates the individual (and associated individuals such as family members, employers, etc.) from unique identifiers such as: • Names • All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes • All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older • Telephone numbers • Fax numbers • Electronic mail addresses • Social security numbers • Medical record numbers • Health plan beneficiary numbers • Account numbers • Certificate/license numbers • Vehicle identifiers and serial numbers, including license plate numbers • Device identifiers and serial numbers • Web Universal Resource Locators (URLs) • Internet Protocol (IP) address numbers • Biometric identifiers, including finger and voice prints • Full face photographic images and any comparable images • Any other unique identifying number, characteristic, or code • Note: The identifiers listed above are only one aspect of PHI. PHI encompasses an individual's past, present, and future state of health, including information about health care providers. Refer to the Definitions section.
  6. 6. Simplifying HIPAA and SMS: A Practical Approach to the Secure Use of Text Messaging in Clinical Research Page 6 of 9 While complete de-identification is not always possible, identifying and reducing instances where it is stored and how it is shared is the best practice. For example, mobile messaging software may need to maintain a mobile number as a method of linking inbound and outbound messages to mobile phones, but the mobile number and specific data types can be encrypted within the system itself, so in the event of a breach, only the message data is visible and is not directly associated with a mobile number. Furthermore, the mobile messaging software should assign a Patient ID to each user/patient as a reference point instead of mobile numbers, thereby associating data with a Patient ID in the software and also in data export functions. Another crucial aspect of security involves training and education. All persons who view, use, interpret, transmit, store, or manage PHI in any way must be properly trained on HIPAA standards and applicable security policies and procedures. Additionally, the proper care and processes need to be in place to ensure research staff and participants are both educated and informed about their own obligations to maintain privacy and data security. Participants can - and should - actively contribute to the safety of their own PHI. Guidance We believe that shared knowledge benefits all. Refer to Appendix A: Guidance and Advice for Effective, Compliant Studies Using SMS for valuable tips for: • Creating a mutually beneficial consent agreement. • Crafting PHI-friendly text messages, whether they are alerts, reminders, or survey questions. • Advising participants to safeguard their own PHI. Conclusion Effective management of risks via education and established security practices is the key to HIPAA compliance when using SMS. With the understanding that no application or device is truly HIPAA compliant, implementing and practicing proper procedures and education with staff, patients, and caregivers provides researchers with the ability to utilize cost-effective research technologies like SMS text messaging to achieve protocol requirements. For further guidance and tips on understanding and implementing good standards and practices regarding the use of SMS for the transmission of PHI, please see Appendix A: Guidance and Advice for Effective, Compliant Studies Using SMS. References HIPAA - http://www.hhs.gov/ocr/privacy/ KattenMuchinRosenman LLP and PerfectServe, Inc. - Clarifying the Confusion about HIPAA-Compliant Texting - https://www.perfectserve.com/hospital/docs/PerfectServe-Clarifying-Confusion-About-HIPAA-Compliant- Electronic-Communication.pdf Amazon Web Services - Creating Healthcare Data Applications to Promote HIPAA and HITECH Compliance - http://d0.awsstatic.com/whitepapers/compliance/AWS_Risk_and_Compliance_Whitepaper.pdf UC Davis Health System - http://www.ucdmc.ucdavis.edu/compliance/guidance/privacy/deident.html Qualtrics - The 10 Commandments for Writing Outstanding Survey Questions - http://www.qualtrics.com/blog/good-survey-questions/ The Purdue OWL - http://owl.english.purdue.edu Disclaimer This white paper is not intended to constitute legal advice. Clients are advised to seek the advice of legal counsel regarding compliance with HIPAA and other regulations that may be applicable to their business. Mosio and its affiliated entities make no representations or warranties that the client's use of Mosio services will assure full compliance with applicable laws.
  7. 7. Simplifying HIPAA and SMS: A Practical Approach to the Secure Use of Text Messaging in Clinical Research Page 7 of 9 Appendix A: Guidance and Advice for Effective, Compliant Studies Using SMS This appendix to the paper "Simplifying HIPAA and SMS: A Practical Approach to the Secure Use of Text Messaging in Clinical Research" is intended to assist our current and future clients with understanding and implementing good standards and practices regarding the use of SMS (Short Message Service) for the transmission of PHI (Protected Health Information). Risk vs. Reward: Why Gray Should Be Your New Best Friend Like most of life's endeavors, there are no guarantees that nothing will ever go wrong when using technology to perform a function. When considering the use of SMS or any technology to transmit privacy data as part of a study or trial, it is vital to understand that some risks exist. For example, computers and mobile devices can be lost, stolen, or even hacked. It is impossible to fully protect against all possible mishaps, but safeguards can be put in place to reduce the risks. HIPAA privacy and security requirements for PHI are printed in black and white, but the reality of compliance lies in the myriad of shades of gray. The wise approach is to understand and acknowledge the risks specific to the research project at hand, provide the best mitigations possible, and work with service providers who do the same. When choosing a text messaging vendor or technology partner, additional consideration should be given to the company's experience, knowledge, technological features, and internal processes for managing PHI so that you benefit from a customized study solution that will generate the most reliable data with as little risk as possible. Essential components of minimizing risk include open communication, understanding, and education. When all parties understand and agree upon the nature of the tasks to be performed, the associated risks dwindle significantly. The following sections contain practical advice for achieving this goal. The Consent Agreement: Protection for All Parties A thorough consent agreement between the Study Administrator and the Study Participant is essential in order to protect the rights of all involved. The consent agreement should address the following, at a minimum: • Description of the nature of the data the Study Participant will provide. Each participant should fully understand what information he/she will be submitting. Ideally, this should be customized for the study and should include as much detail as possible, e.g., daily blood pressure, weight, or timing and dosage of medications. Note: HIPAA does not dictate what a Study Administrator can and cannot ask. The nature of the questions is an agreement between the Study Administrator and the Study Participant. • Description of how this information will be obtained. Each participant should fully understand how he/she will submit the data. For example, the consent agreement should clearly state that Mosio will facilitate the questions and answers via text messages sent to and from the participant's personal mobile device. Data provided by the participant as part of the initial recruiting, setup process, and completion process should also be addressed. • Description of how this data will be used. Each participant must be informed of all potential usage of his/her PHI, including the sharing of data with third parties. This could be a reference to existing privacy data policies. Each participant must consent to all data usage and sharing. • Description of how this data will be securely managed. This is the most crucial element. For the sake of all parties, all privacy data obtained by the Study Administrator for any purpose must be managed in such a manner that ensures the best possible security. This could reference existing policies, procedures, and privacy data policies. If applicable, this should also address third party providers' responsibilities regarding data security. • Disclosures of risks and vulnerabilities. Participants must be notified of identified potential risks, such as the risks involved with the use of unencrypted texts.
  8. 8. Simplifying HIPAA and SMS: A Practical Approach to the Secure Use of Text Messaging in Clinical Research Page 8 of 9 • A clear definition of the boundaries between the Study Administrator and the Study Participant responsibilities. This should include disclaimers that the Study Administrator is not responsible for any loss or breach of data that results from something beyond their control, e.g., the participant loses his/her personal mobile device containing text messages with his/her PHI, or a third party vendor or host experiences a server/data breach. • Acknowledgement of Rights and Receipt of Instructions. Participants should be advised of their rights. This may be documented separately. Additionally, participants should be offered instructions and/or tips for ways to safeguard their own PHI data. Refer to the Advice to Participants section below for examples. Participants should formally acknowledge the receipt and understanding of both their rights and the instructions provided. • Process for notifying the participant in case of an actual or potential security breach. This is essential for HIPAA compliance. The process should include communication steps, follow-up activities, and responsibilities of third parties. This may be defined or referred to in a separate privacy data policy. The final draft of the consent agreement should be reviewed and approved by compliance and legal advisors prior to use. Good Questions Get Good Answers Concise, efficient, well-crafted survey questions can help enforce security consistent with HIPAA requirements and can also eliminate some risks when using SMS to transmit PHI. Some tips include: • Keep questions as short and concise as possible. Longer questions may increase confusion and lead the participant to craft a longer-than-necessary reply, which could contain unnecessary PHI. A brief answer of "yes," "no," or "2," is meaningless when taken out of context, yet can still provide all the data needed for the study. As an added bonus, participants are more likely to respond more quickly and accurately when allowed the opportunity for a short answer. • Build questions that are clearly understood. Avoid vague, loaded, or leading words, such as "could," "might," "often," or "never." "Do you drink milk regularly?" is both vague and potentially confusing. Better data would result from a question like "How many 8oz. glasses of milk did you consume today?" Getting precise data the first time will eliminate the need to ask more detailed follow-up questions later. • Ask individual questions. Do not combine questions. "Did you do your assigned exercises and take your pill today?" should be separated into two distinct questions. • Use commonly understood words. Avoid jargon or highly technical terms that the participant might not understand. This could also lead to the unnecessary PHI or the sharing of personal data not agreed upon in the consent agreement. • Remind the participant of privacy measures. For example, the following text could be sent periodically, or after every survey question: "We vow to protect the information you provide. For extra safety and privacy, please delete the survey question and your response after sending. Thank you for your participation and your trust."
  9. 9. Simplifying HIPAA and SMS: A Practical Approach to the Secure Use of Text Messaging in Clinical Research Page 9 of 9 Advice for Participants While the Study Administrator is ultimately responsible for securing PHI as much as possible, the Study Participant should be aware of his/her own responsibilities for securing his/her own data where possible. Participants using their own mobile devices should be educated to: • Think carefully when composing answers to questions. Do not provide any personal information that is not asked for. • When sending text responses, double-check to ensure that the reply is being sent only to the proper persons/entities. • Delete incoming and/or outgoing text messages containing PHI after sending a response to a prompt or question. • Keep the mobile device password-protected and/or locked to prevent others from accessing text message history. • Make an effort to minimize the chances that the mobile device will be lost or stolen, e.g., lock the device in a drawer when going to a meeting rather than leaving the phone out on the desk. • When syncing the mobile device with another device or computer for any sort of data transfer, take special care to ensure that texts containing PHI are not transferred. • Do not post or copy any texts or parts of texts containing PHI on any social media site. • Contact the Study Administrator in the event of a potential data breach, the loss of the mobile device, or suspicious texts claiming to be a part of the study. Some or all of the items listed above may be included or referenced in the consent agreement. At the least, the consent agreement should include an acknowledgment that the participant received and understood the instructions. The Last Word Careful planning, communication, and education go a long way toward HIPAA-compliant use of SMS. When combined with our Quality Program and stringent security measures, data is as safe as it can possibly be. Questions? Existing Mosio clients, please contact support@mosio.com with any questions or concerns. If you are looking to utilize the power of text messaging in your next research study, please visit us at http://www.mosio.com.

×