sms in health care: privacy and confidentiality
DESCRIPTION
Presentation at the first annual convention of the Philippine Society for General Internal Medicine last May 6, 2012.TRANSCRIPT
SMS in Health CarePrivacy & Confidentiality
Iris Thiele Isip Tan MD, MSc, FPCP, FPSEMChief, UP College of Medicine Medical Informatics Unit
Clinical Associate Professor, UP College of Medicine Section of Endocrinology, Diabetes & Metabolism
6 May 2012
http://www.flickr.com/photos/katielips/1430878365/
Saturday, August 4, 12
Infographic by @shaneshow for MASHABLEhttp://www.socialhubnotes.com/philippines-texting-capital-of-the-world-2010/
Texting Capital of the World
http://tehspoon.deviantart.com/art/Filipino-flag-56287173?q=favby%3AGrin-Reaper%2F2159272&qo=23
Philippines: 1.39 billion text messages sent (2009)
Saturday, August 4, 12
m HEALTH
http://www.flickr.com/photos/dave-friedel/4158114183/
mHealth, enabled by mobile phones and other wireless computing devices (mDevices), is the revolutionary adoption of new communication patterns in healthcare that is stimulating the introduction of Participatory Health.
mHealth Observatoryhttp://www.mobih.org/observatory/
Saturday, August 4, 12
Participatory Medicine
Image by Liz Gracehttp://www.flickr.com/photos/liz-grace/5078868809/
“Movement in which networked patients shift from being mere passengers to responsible drivers of their health ...
providers encourage and value them as full partners”
Society for Participatory Medicine
Saturday, August 4, 12
“As opposed to the doctor-centric, curative model of the past, the future is going to be
patient-centric and proactive.”Elias A. Zerhouni MD, NIH Director
Dec 2007
Image by JD Hancockhttp://www.flickr.com/photos/jdhancock/4100030094/
Saturday, August 4, 12
Patient Communication
Body Area Network
Pharma/Clinical Trials
Public Health
Access to Resources
Point-of-Care Documentation
Disease Management
Education Programs
Professional Communication
Administrative Applications
Financial Applications
Ambulance/EMS
mHeal!http://www.mobih.org
Saturday, August 4, 12
http://www.flickr.com/photos/maczter/3008375479/
Always on and always
with youSaturday, August 4, 12
http://www.sxc.hu/photo/712415
Information is the essence of medicine:
we create it, we collect it;
we search for it; we adapt it;
we drown in it;and at times, we ignore it.
Pauker SG & Stahl JE. WJM 1997;166(2):148–50
Saturday, August 4, 12
Outline
• HIPAA and HITECH
• Risks of use of SMS in healthcare
• SMS policy
• GSMA privacy principles
Saturday, August 4, 12
Original version“All that may come to my
knowledge in the exercise of my profession or in daily commerce with men, which ought not to be spread abroad, I will keep secret
and never reveal.”
Classic version“What I may see or hear in the
course of treatment or even outside of the treatment in regard to the life of men, which on no account one must spread abroad, I will keep
myself holding such things shameful to be spoken about.”
http://en.wikipedia.org/wiki/Hippocratic_Oath
http://www.flickr.com/photos/tonythemisfit/3644746113/
Saturday, August 4, 12
“I will respect the privacy of my patients, for their problems are not disclosed to me that the world may know.”
Modern version of Hippocratic Oath
Health Insurance Portability & Accountability Act of 1996
HIPAA
HITECHHealth Information Technology for
Economic and Clinical Health Act of 2009
Saturday, August 4, 12
HIPAA Privacy Rule regulates use and disclosure of
Protected Health Information (PHI)
held or transmitted in any form (electronic, paper or oral)
http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html
http://www.sxc.hu/photo/49277
Saturday, August 4, 12
HIPAA Patient Identifiers• Names
• All geographic subdivisions smaller than a State (including street address, county, precinct, zip codes)
• All elements of dates (except year) for dates directly related to an individual; all ages over 89
• Telephone numbers
• Fax numbers
• E-mail addresses
• Social security numbers
• Medical record numbers
• Health plan beneficiary numbers
• Account numbers
• Certificate/license numbers
• Vehicle identifiers and serial numbers, including license plate numbers
• Device identifiers and serial numbers
• Web Universal Resource Locators (URLs)
• Internet Protocol (IP) address numbers
• Biometric identifiers (i.e. DNA), including finger and voice prints
• Full face photographic images and any comparable images
• Any other unique identifying number, characteristic, or code
Saturday, August 4, 12
Ensure confidentiality of communications with individuals i.e. call work number instead of home or cell number
http://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act#HITECH_Act:_Privacy_Requirements
HIPAA Privacy Rule
http://www.sxc.hu/photo/1105263
Saturday, August 4, 12
http://www.flickr.com/photos/jdhancock/3618602355/
HITECH Act
Establishes a federal breach notification requirement for unencrypted health information
http://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act#HITECH_Act:_Privacy_Requirements
Saturday, August 4, 12
TigerText Survey (US Data, Oct 2011) 73% of MDs are sending work-related text messages
TigerText. "Physician and Hospital Texting Is on the Rise." Press release. October 12, 2011. www.tigertext.com/physician-texting-on-rise.
Saturday, August 4, 12
Text Messaging Riskshttps://safermobile.org
SMS can be intercepted
Cloned SIMSIM command to forward SMS GSM interception devices
Saturday, August 4, 12
Text Messaging Riskshttps://safermobile.org
SMS can be intercepted
Filtered for key words
Saturday, August 4, 12
Text Messaging Riskshttps://safermobile.org
SMS can be intercepted
Filtered for key words
Stored data on phone
includes SMS
Saturday, August 4, 12
Text Messaging Riskshttps://safermobile.org
SMS can be intercepted
Apps may intercept, read or send SMS
Filtered for key words
Stored data on phone
includes SMS
Saturday, August 4, 12
Are text messages subject to HIPAA?
HIPAA privacy ruleRight to access and amend protected health information (PHI), “used, in whole or in part, by or for the covered entity to make decisions about individuals.”
Text messages if used to make decisions may be subject to above HIPAA privacy rule.
Greene, Adam H. "HIPAA Compliance for Clinician Texting." Journal of AHIMA 83, no.4 (April 2012): 34-36.
Saturday, August 4, 12
HIPAA security ruleRequires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity and security of ePHI
Greene, Adam H. "HIPAA Compliance for Clinician Texting." Journal of AHIMA 83, no.4 (April 2012): 34-36.
Threats to ePHI
• Theft or loss of the mobile device
• Improper disposal of the device
• Interception of transmission of ePHI by an unauthorized person
• Lack of availability of ePHI to persons other than the mobile device user
Saturday, August 4, 12
Security controls
Administrative policyWorkforce training Password protection
http://www.sxc.hu/photo/49277
Inventory and proper sanitization of mobile devices
Use of alternative technology i.e. vendor-supplied secure messaging app
Greene, Adam H. "HIPAA Compliance for Clinician Texting." Journal of AHIMA 83, no.4 (April 2012): 34-36.
Saturday, August 4, 12
www.health.wa.gov.au/CircularsNew/attachments/617.pdf
SMS Policy for WA Health Services Nov 2011
Governance
SMS Policy Oversight Group responsive to both positive and negative consumer feedback
Health Services responsible for the costs and day to day administration of SMS usage
SMS administrator ensures all SMS users are aware of policy
Health Information Network responsible for management of IT and telecommunications components of SMS usage
WA Health Strategic System Support Branch reports WA Health Executive on outcomes of the service
Saturday, August 4, 12
www.health.wa.gov.au/CircularsNew/attachments/617.pdf
SMS Policy for WA Health Services Nov 2011
Automated SMS reminders using Telstra Integrated Messaging Service (TIMS)Use requires completion of a standard SMS approval form
I agree to use the SMS system within the prescribed guidelines for services in my Department that may benefit from this initiative. I understand the cost of SMS messages will be charged to my Department and agree to fund this from the Department budget.
Saturday, August 4, 12
http://www.sxc.hu/photo/883988
SMS Policy for WA Health Services Nov 2011
Privacy and ConfidentialityTelco only transmitsWA Health does not hold or collect any informationAll identified information remains with Health Services
www.health.wa.gov.au/CircularsNew/attachments/617.pdfSaturday, August 4, 12
SMS Policy for WA Health Services (Nov 2011)
Patient providing a mobile telephone number is deemed to have agreed to SMS reminders
http://www.sxc.hu/photo/899402
www.health.wa.gov.au/CircularsNew/attachments/617.pdfSaturday, August 4, 12
Consent form for use of SMS texting Lincolnshire Community Health Services
We will get in touch with you approximately 2 weeks before your appointment is due.The text will not identify the sender and will read as follows - Appointment reminder: Date and timePlease let us know if your phone is lost, stolen or you have changed your number.
www.lincolnshirecommunityhealthservices.nhs.ukSaturday, August 4, 12
Consent form for use of SMS texting Lincolnshire Community Health Services
I agree to the service communicating with me by SMSI confirm that the mobile number the service holds on my record is correct and I will notify them of any changesI agree to receive a reminder of my appointment by SMSI am aware that I can withdraw consent at any time by informing the Health Professional either verbally or in writing
www.lincolnshirecommunityhealthservices.nhs.ukSaturday, August 4, 12
http://www.flickr.com/photos/pasukaru76/4368389868/
SMS Policy for WA Health Services (Nov 2011)
SMS reminders will NOT be sent to prisoners, estranged (non-custodial) parents, deceased, children
www.health.wa.gov.au/CircularsNew/attachments/617.pdfSaturday, August 4, 12
http://www.flickr.com/photos/dpstyles/4058142601/
www.health.wa.gov.au/CircularsNew/attachments/617.pdf
Standard Message SMS Policy for WA Health Services (Nov 2011)
Reminder: appointment at [xx] Hospital [appt_time], [appt_date]. DO NOT SMS REPLY. Please call [clinic number or OPD number] business hours if you cannot attend.
Reminder: your child has an appointment at [xx] Hospital [appt_time], [appt_date]] DON’T SMS REPLY Call [clinic number or OPD number] business hrs if unable to attend.
Saturday, August 4, 12
http://www.sxc.hu/photo/1072482
SMS Policy for WA Health Services (Nov 2011)Automated SMS reminders will be sent between 9 am-5 pm, 7 days a week, 2 days in advance of appointment
www.health.wa.gov.au/CircularsNew/attachments/617.pdf
Saturday, August 4, 12
http://www.flickr.com/photos/jurvetson/512412202/
SMS Policy for WA Health Services (Nov 2011)
Automated SMS reminders configured so that recipients cannot reply
www.health.wa.gov.au/CircularsNew/attachments/617.pdfSaturday, August 4, 12
Mobile and PrivacyGSM Association
http://www.gsma.com
January 2011
Mobile Privacy Principles
April 2011
Privacy Design Guidelines for Mobile Application
Development
Saturday, August 4, 12
Mobile and Privacy
January 2011
Mobile Privacy PrinciplesOpenness, transparency and notice
Provide information on identity and data privacy practices
Purpose and useLimited to meet legitimate
business purposes
Data minimization and retentionOnly minimum personal information necessary;
not be kept for longer than is necessary http://www.gsma.com
Saturday, August 4, 12
http://www.flickr.com/photos/pasukaru76/4948494811/Mobile Privacy Principles
User choice and controlExercise meaningful choice and control over personal information
Mobile and Privacy
Saturday, August 4, 12
Mobile and Privacy
January 2011
Mobile Privacy PrinciplesRespect user rights
Easy means to exercise rights over use of personal information
Security
Reasonable safeguards appropriate to the sensitivity of the information
EducationInformation about privacy and
security issues and how to protect privacy
Children and adolescentsAccountability and enforcement
http://www.gsma.com
Saturday, August 4, 12
Mobile and Privacy
April 2011
Privacy Design Guidelines for Mobile Application Development
Privacy by Design approach
ensures that mobile applications are developed in ways that respect and protect the privacy of users
and their personal informationhttp://www.gsma.com
Saturday, August 4, 12
mHealth & Privacy in Developing CountriesPhones are often shared by families
Policy Engagement Network for the International Development Research Center (The London School of Economics & Political Science)“Electronic Health Privacy and Security in Developing Countries and Humanitarian Operations” Dec 2010
http://www.flickr.com/photos/27528906@N04/4152954614/
Saturday, August 4, 12
mHealth & Privacy in Developing CountriesSome governments are requiring citizens to register SIM cards with personal information
Policy Engagement Network for the International Development Research Center (The London School of Economics & Political Science)“Electronic Health Privacy and Security in Developing Countries and Humanitarian Operations” Dec 2010
http://www.flickr.com/photos/bfishadow/4931375578/
Saturday, August 4, 12
http://www.flickr.com/photos/london/25783697/
SMS in HealthcareKnow the risks. Follow rules. Have a policy.
Saturday, August 4, 12
Thank Youhttp://www.endocrine-witch.net
@endocrine_witch
Image from http://wthr.frumph.net/
Saturday, August 4, 12