Even though your free texting vendor signed a BAA it doesn’t mean you’re able to meet the necessary compliance objectives using their services. Typically with free texting, your data is co‐mingled with information from other companies. This presents many challenges and increases your risk of a breach. Consider the following points when determining whether you should implement a free texting service for your organization.
- Typically with free texting services, if an employee leaves the service of a company, they can retain their account and continue to use it. How do you protect your data?
- Can you quickly disable an employee if they leave the service of your company?
- Can you quickly disable one of the employee’s devices if they accidentally left it in a taxi cab, it was stolen, etc.?
Free text messaging services are fraught with compliance issues. It’s better to address these items before your clinicians sign up on their own or your IT staff announces the Free Texting services to your institution. Consider this short list of items when considering a free texting offer:
- Account reconciliation: How can you determine if there are accounts in use which should have been disabled? You should be able to get a report of all of your users who are using a secure messaging or texting service.
- Patient Event: Does your Free Texting provider offer a reporting on all communications related to a patient when you have an event or JCAHO audit?
- Harassment: Since the advent of pagers and now with more current communications such as Snapchat, instant messaging etc., electronic messaging has been involved in employee harassment situations. The texting vendor should be maintaining a copy of all inbound and outbound messages and provide the data if needed to your HR or Medical Staff Office
- Data Retention: Each institution has its own data retention policy which should extend to the legacy paging and modern day text messaging services. Can your Free Texting provider ensure that your employees’ data is being retained on a schedule that meets or exceeds your institution’s data retention policy?
- Litigation Hold: Most large institutions have litigation hold processes and procedures. These requests extend to ALL information including text messaging. How does your texting vendor handle these requests? How do you retrieve the data when needed for e-Discovery?
- Freedom of Information Act requests: Many state and federally funded agencies are required to provide data (including text messaging) when a FOI is requested.
This 1‐page document is not intended to cover all possible legal, compliance and process challenges you might face with free text messaging, but rather to shine a spotlight on this growing problem. Seasoned CIOs and compliance officers know the concerns, but they can often be overlooked by staff.