Privacy & Security

Subscribe to Privacy & Security

The new Apple Watch Series 4® is one of the more recent and sophisticated consumer health engagement tools. It includes a sensor that lets wearers take an electrocardiogram (ECG) reading and detect irregular heart rhythms. The U.S. Food & Drug Administration (FDA) recently approved these functions as Class II medical devices, which generally means that they have a high to moderate risk to the user. The FDA approval letters describe the Apple Watch Series 4 functions as intended for over-the-counter use and not to replace traditional methods of diagnosis or treatment.

Tech developers and HIPAA lawyers often mean different things when describing a health app or medical device as HIPAA compliant. For example, a health app developer will likely focus on infrastructure, whereas the lawyer will likely focus on implementation. When asked about HIPAA, the app developer might rely on International Organization for Standardization (ISO) certification to demonstrate its data privacy and security controls and highlight how the infrastructure supports HIPAA compliance. The HIPAA lawyer, on the other hand, will likely focus on how (and by whom) data is created, received, maintained and transmitted and must look to the HIPAA regulations and guidance documents issued by the U.S. Department of Health and Human Services (HHS) to determine when and whether the data is subject to HIPAA protection. ISO certification does not equate to HIPAA certification; in fact, there is no HIPAA compliance certification process, and it is often difficult from the outset to determine if and when HIPAA applies.

As discussed in this prior blog post, HHS’s guidance on various “Health App Scenarios” underscores that fact that health data collected by an app may be HIPAA-protected in some circumstances and not in others, depending on the relationship between an app developer and a covered entity or business associate. The consumer (or app user) is unlikely to understand exactly when or whether HIPAA applies, particularly if the consumer has no idea whether such a relationship exists.

Back to the Apple Watch Series 4, and the many other consumer-facing medical devices or health apps in already on the market or in development. When do the nuances of HIPAA applicability begin to impede the potential health benefits of the device or app? If I connect my Apple Watch to Bluetooth and create a pdf file to share my ECG data with my physician, it becomes protected heath information (PHI) upon my physician’s receipt of the data. It likely was not PHI before then (unless my health care provider told me to buy the watch and has process in place to collect the data from me).

Yet the value of getting real-time ECG data lies not in immediate user access, but in immediate physician/provider access. If my device can immediately communicate with my provider, without my having to take the interim step of moving the data into a separate file or otherwise capturing it, my physician can let me know if something is of medical concern. I may not want my health plan or doctor getting detailed information from my Fitbit® or knowing whether I ate dessert every night last week, but if I’m at risk of experiencing a medical emergency or if my plan or provider gives me an incentive to engage in healthy behavior, I may be willing to allow real-time or ongoing access to my information.

The problem, particularly when it comes to health apps and consumer health devices, is that HIPAA is tricky when it comes to non-linear information flow or information that changes over time. It can be confusing when information shifts from being HIPAA-protected or not, depending on who has received it. As consumers become more engaged and active in managing health conditions, it is important that they realize when or whether HIPAA applies and how their personal data could be used (or misused) by recipients. Findings from Deloitte’s 2018 consumer health care survey suggest that many consumers are interested in using apps to help diagnose and treat their conditions. For example, 29% were interested in using voice recognition software to identify depression or anxiety, but perhaps not all of the 29% would be interested in using the software if they were told their information would not be protected by HIPAA (unless and until received by their provider, or if the app developer was acting as a business associate at the time of collection).

Perhaps certain HIPAA definitions or provisions can be tweaked to better fit today’s health data world, but, in the meantime, health app users beware.

Registration to the Privacy Summit is open.

Fox Rothschild’s Minneapolis Privacy Summit on November 8 will explore key cybersecurity issues and compliance questions facing company decision-makers. This free event will feature an impressive array of panelists drawn from cybersecurity leaders, experienced regulatory and compliance professionals and the Chief Division Counsel of the Minneapolis Division of the FBI.

Attendees receive complimentary breakfast and lunch, and can take advantage of networking opportunities and informative panel sessions:

GDPR and the California Consumer Privacy Act: Compliance in a Time of Change

The European Union’s General Data Protection Regulation has been in effect since May. Companies that process or control EU citizens’ personal data should understand how to maintain compliance and avoid costly fines. Health care businesses should also prepare for the next major privacy mandate: the California Consumer Privacy Act.

Risk Management – How Can Privacy Officers Ensure They Have the Correct Security Policies in Place?

Panelists offer best practices for internal policies, audits and training to help maintain protected health information (PHI), personally identifiable information (PII) or other sensitive data. Learn the cutting edge strategies to combat the technology threats of phishing and ransomware.

Fireside Chat

Jeffrey Van Nest, Chief Division Counsel of the Minneapolis Division of the FBI, speaks on the state of affairs in regulation and enforcement; including how to partner with the FBI, timelines of engagement and the latest on cyber threat schemes. His insights offer details on forming effective cyber incident response plans.

Keynote Speaker – Ken Barnhart

Ken is the former CEO of the Occam Group, a cybersecurity industry advisor and the founder and principal consultant for Highground Cyber – a spin-off of the Occam Group’s Cybersecurity Practice Group. For more than a decade, he has helped companies of all sizes design, host and secure environments in private, public and hybrid cloud models. Prior to his work in the corporate sector, Ken served as a non-commissioned officer in the United States Marine Corp and is a decorated combat veteran of Operation Desert Shield\Storm with the HQ Battalion of the 2nd Marine Division.

Geared toward an audience of corporate executives, in-house chief privacy officers and general counsel, the summit will provide important take-aways about the latest risks and threats facing the health care industry.

Stay tuned for more agenda details. Registration is open.

The European Union’s General Data Protection Regulation (GDPR) went into effect on May 25, 2018. Whereas HIPAA applies to particular types or classes of data creators, recipients, maintainers or transmitters (U.S. covered entities and their business associates and subcontractors), GDPR applies much more generally – it applies to personal data itself. Granted, it doesn’t apply to personal data that has absolutely no nexus to the EU, but assuming it doesn’t apply to your U.S.-based entity simply because you don’t have a physical location in the EU is a mistake.

So when does GDPR apply to a U.S.-based covered entity, business associate, or subcontractor? As with HIPAA, the devil is in the definitions, so I’ve capitalized certain GDPR-defined terms below. GDPR is comprised of 99 articles set forth in 11 chapters, and 173 “Recitals” explain the rationales for adoption. Similar to the way regulatory preambles and guidance published by the U.S. Department of Health and Human Services (HHS) can be helpful to understanding HIPAA compliance, the Recitals offer insight into GDPR applicability and scope.

Under Article 3, GDPR applies:

(1) To the Processing of Personal Data in the context of the activities of an establishment of a Controller or Processor in the EU, regardless of whether the Processing takes place in the EU;

(2) To the Processing of Personal Data of data subjects who are in the EU by a Controller or Processor not established in the EU, where the Processing activities are related to:

(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the EU; or

(b) the monitoring of their behavior as far as their behavior takes place within the EU; and

(3) To the Processing of Personal Data by a Controller not established in the EU, but in a place where EU member state law applies by virtue of public international law.

It is paragraph (2) that seems most likely to capture unwitting U.S.-based covered entities, business associates, and subcontractors that are not established in the EU (though Recital 22 offers further explanation of what it means to be Processing data in the context of the activities of an establishment).

Notably, paragraph (2) makes it clear that while the entity need not be located within the EU for GDPR to apply, the data subject must be. If the U.S. entity offers goods or services to, or monitors the behavior of, data subjects who are “in” the EU, GDPR likely applies. It is the location of the data subject, not his or her citizenship, residency or nationality, that matters. GDPR does not follow the data subject outside the EU, but it does follow the data subject (even an American) into the EU – so long as the Processing of the Personal Data takes place in the EU.

So what does this mean for the U.S.-based covered entity, business associate, or subcontractor not established in the EU? It should carefully review its website, marketing activities, discharge or post-service follow-up procedures, and any other activities that might involve the offering goods or services to, or monitoring the behavior of, individuals in EU. If GDPR applies, the company will need to analyze how its HIPAA privacy and data security policies are inconsistent with and fall short of GDPR requirements. The company, whether a covered entity, business associate, or subcontractor, should also make sure that none of its vendors process data on its behalf in the EU.

In addition to understanding where data subjects are located and where Processing takes place in order to determine GDPR applicability, covered entities, business associates and subcontractors must determine whether they are acting as Controllers or Processors in order to understand their GDPR compliance obligations.

This can create particular challenges for a business associate.  If a covered entity is subject to GDPR, a business associate that creates, receives, maintains or transmits Personal Data on behalf of the covered entity will either be acting as a Processor (for example, where the covered entity simply uses the business associates tools or services to conduct its business), or a Controller (for example, where the business associate reaches out directly to plan members or patients, such as by an email campaign).  If the business associate’s services agreement or business associate agreement makes no mention of the fact that the covered entity is subject to GDPR, the business associate may not know whether it is also subject to GDPR, let alone whether it is a Controller or Processor.

The bottom line is that focusing on compliance with HIPAA and other federal and state laws pertaining to privacy and security of personal information is not enough, even for companies that view themselves as operating solely within the U.S.  A thorough risk assessment should include not only careful consideration of HIPAA requirements, but of the potential applicability and compliance requirements of GDPR.

In 1973, President Richard Nixon’s Chief of Staff H.R. Haldeman warned White House Counsel John Dean against talking to prosecutors investigating the growing Watergate scandal, telling him “Once the toothpaste is out of the tube, it’s going to be very hard to get it back in,” and a useful idiom was born. Personal electronic data, including protected health information, once disclosed, can be equally difficult to recapture and contain.

A recent article in Slate entitled You Can’t Clean Up a Data Spill describes the obstacles to effectively remediating a data breach or improper disclosure in the wake of revelations about the breach involving Facebook data and Cambridge Analytica. As author April Glaser stated, “There’s no such thing as a cleanup site for data spills. That’s because when data leaks, it can be duplicated far faster than anyone can mop it up.”

Cambridge Analytica, a British political consulting firm, provided research, data mining and communication services to campaigns including those of Ted Cruz and Donald Trump. The firm claimed to have developed “psychographic” profiles of voters that could predict their personality traits and political leanings. The New York Times reported that the firm had harvested information from the Facebook profiles of over 50 million users without their permission, and a subsequent CNN report estimates the breach may have affected up to 87 million users. The firm’s chief executive has claimed that the data had been deleted when the improper acquisition was brought to their attention two years prior to the Times article. But how much toothpaste is still in circulation, and can anything be done to recover it?

Facebook founder Mark Zuckerberg has told CNN that Cambridge Analytica provided them with a formal certification from the firm that it had deleted all user data acquired through improper means. Unfortunately, even if that is accurate, it cannot address whether the data had been copied or further disclosed prior to such deletion. According to Slate:

Tracking down and searching where that data has gone will be incredibly difficult,” says Sarah Aoun, a digital security specialist and open web fellow at the Mozilla Foundation. “I’m not even sure it would be realistic.” Maybe it would be easier if the data was “watermarked,” meaning there was some tag on the data to indicate it was the Cambridge Analytica–obtained Facebook data. But Facebook didn’t do that, as Zuckerberg explained to Wired, and even if it had, Aoun says that “any identifiable trace relating it back to Facebook can be altered and then changed and could exist in 10 different shapes and forms online or in the hands of anyone.”

The Facebook/Cambridge Analytica breach is a sobering cautionary tale for covered entities and business associates subject to HIPAA who routinely handle large amounts of PHI. Once a breach occurs and is discovered, it may be impossible to definitively account for all data that may have been copied or transmitted. All the more reason to secure the cap on your EHR tube.

Many employers who have had it drilled into them that HIPAA applies to protected health information (PHI) of employees are often surprised to learn that the applicability of HIPAA to employee health information (EHI) is actually quite narrow.  HIPAA only applies to EHI related to the employer’s group health plans (such as medical, dental, employee assistance program (EAP) and health flexible spending arrangement (FSA)).  Employer-sponsored group health plans are HIPAA covered entities. Further, although this is true regardless of whether the group health plan is insured by an insurance company or self-insured by the employer, the employer will not generally have HIPAA compliance responsibilities for an insured group health plan if it does not receive any EHI other than for the limited purpose of enrollment activities, or summary health information for amending or terminating the plan or obtaining premium bids. Instead, for a fully-insured group health plan, HIPAA compliance will generally be handled by the insurance company, which is also subject to HIPAA as a covered entity.

HIPAA doesn’t apply to EHI that the employer obtains from a source other than its group health plans, such as medical information related to employment (including pre-employment physicals, drug testing results, medical leave or workers’ compensation) and information from other employment-related benefits that are not group health plans (such as life or disability insurance). This result does not change merely because the employee’s health information is PHI when held by a HIPAA-covered entity health care provider who tested or treated the employee before the information was transferred to the employer via a HIPAA-compliant authorization.

Even though EHI obtained by an employer for employment-related reasons or relating to non-group health plan benefits isn’t subject to HIPAA, this doesn’t mean the employer can throw caution to the wind.  Other federal and state laws (such as the Family and Medical Leave Act (FMLA), Americans with Disabilities Act (ADA) and state workers’ compensation laws) impose restrictions on the employer’s access to and use and disclosure of this EHI and impose obligations to maintain confidentiality of the EHI. These restrictions and obligations apply regardless of how the employer obtains the EHI (for example, even if obtained pursuant to an authorization signed by the employee or directly from the employee).

Because other laws protect EHI even when HIPAA does not, it’s often helpful for the employer to apply the same or similar safeguards to all EHI, even if HIPAA does not apply.  Applying HIPAA-like safeguards to EHI that isn’t subject to HIPAA not only will often bring the employer a long way towards complying with other federal and state laws that may apply; it may also avoid the necessity of categorizing types of EHI to determine what level of safeguards should be imposed.

The New York City skyline, including the Empire State BuildingIn a post on February 28, Fox associate Kristen Marotta discussed the privacy and security issues arising from the growing use of telemedicine, particularly for mental health treatment. Now on the firm’s Physician Law blog, Kristen continues her discussion of telepsychiatry by diving into recent developments in New York State surrounding the innovative practice model. Kristen notes new funding from the New York Office of Mental Health to expand its use, and breaks down the OMH regulations that psychiatrists and physicians will need to consider before offering telepsychiatry services.

We invite you to read Kristen’s piece.

Kristen Marotta writes:

Many believe that educated millennials are choosing to work in urban, rather than rural areas, during their early career due to societal milestones being steadily pushed back and the professional opportunities and preferences of a young professional. Recent medical school graduates are a good example of this dichotomy. The shortage of physicians in rural areas is a well-known phenomenon. Over the years, locum tenens staffing has helped to soften the impact and, recently, so has telemedicine.

Illustration of stethoscope and mobile phone, symbolizing telemedicineThe growing prevalence of telemedicine around the country is an important consideration for new physicians as they decide where to settle down and establish their careers.  In New York, medical graduates should be aware that a $500,000 federal grant was given to New York State’s Office of Mental Health this month, February 2018 by the U.S. Department of Agriculture Rural Development Distance Learning and Telemedicine program.  Using telemedicine to provide mental health services may be a productive and efficient way to deliver healthcare, not only because many mental health examinations would not have to be conducted in-person, but also because of the general shortage of psychiatrists and mental health providers to meet these patient needs. Now, medical graduates who would like to establish their lifestyle in a city can simultaneously care for patients living miles apart from them.

It is essential that health care providers engaging in telemedicine understand the implications of this practice model with respect to compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA).  Providers rendering health care services via telemedicine should update and adjust their security risk assessments and HIPAA privacy and security policies and procedures, because protected health information is likely to be created in two separate locations (i.e., the location of the provider and the location of the patient).  Providers should also make sure that their (or their practice’s) Notice of Privacy Practices has been updated to reflect the provision of services via telemedicine, so that the patient has the opportunity to make an informed decision about engaging in this type of health care. Additionally, new business associate agreements may be required with telehealth vendors that do not meet the narrow “mere conduit” exception and any new parties who will have access to the individual’s protected health information as a result of the provision of services via telemedicine. In connection with these efforts, Providers should research and conduct due diligence on vendors to confirm that they understand the services model and are HIPAA-compliant.

As telemedicine emerges and gains more traction in health care, state laws and regulations will also be created and/or updated, and physicians will need to keep abreast of these changes. A good example of this is the State of New York, which has an entire section of mental health regulations dedicated to telepsychiatry. Stay tuned to Fox Rothschild’s Physician Law Blog for further updates on these specific New York regulations, as well as the developments in telemedicine.

Kristen A. Marotta is an associate in the firm’s Health Law Department, based in its New York office.

Many employers who offer wellness programs to their employees may not have considered compliance with HIPAA privacy, security and breach notification rules (collectively, “HIPAA Rules”), since they don’t think of their wellness programs as a group health plan. Part 1 of this post covered why most employee assistance programs (“EAPs”) are subject to the HIPAA Rules. This part discusses wellness programs. As with EAPs, wellness programs must comply with the HIPAA Rules to the extent that they are “group health plans” that provide medical care.

A wellness program may be considered a group health plan in at least two common ways. First, if an employer offers a wellness program as part of another group health plan (e.g., a major medical plan), any individually identifiable health information collected from participants in the wellness program is protected health information (“PHI”) under the HIPAA Rules. In other words, if the wellness program is part of another group health plan, such as a major medical plan—for example, by offering incentives like premium reductions or lower cost-sharing amounts for major medical coverage based on participation in the wellness program—the wellness program will be subject to the HIPAA Rules.

Second, a wellness program will be a group health plan subject to the HIPAA Rules if it provides medical care to employees. Some benefits commonly provided by wellness programs are not medical benefits—a health risk assessment (“HRA”), for example, is typically a questionnaire intended to identify an employee’s possible health risks and to motivate the employee to make positive behavior changes to reduce those risks. HRAs are not medical care if they are not administered by medical professionals and are not intended to diagnose illness or prescribe treatment. Other non-medical benefits offered by wellness programs include exercise, nutrition, or weight loss programs, as long as they are not connected with or recommended in response to a medical practitioner’s diagnosis. A wellness program may also provide general health-related information, or referrals (if made by people without any special medical training), without providing medical care (and without triggering compliance obligations under the HIPAA Rules).

Other common wellness program benefits, however, may provide medical care. A biometric screening (often conducted in conjunction with an HRA) is typically medical care because it often involves a blood draw, labs and a clinical assessment of an employee’s health and is intended to diagnose, or indicate an increased risk of, certain health conditions (heart disease, diabetes, etc.). Wellness programs also often include disease management and smoking cessation services, which are considered medical care because they are designed to assist with specific health conditions. Even something as simple as an employee flu shot is medical care, whether or not it is part of another group health plan. Individualized health coaching by trained nurses or counseling provided by trained counselors also would be considered medical care. Providing any of this medical care through a wellness program may lead to unexpected compliance obligations under the HIPAA Rules.

Employers/plan administrators facing unexpected compliance obligations under the HIPAA Rules because of a self-insured wellness program that provides medical care will need to enter into a the HIPAA Rules business associate agreement with the wellness program vendor, amend the plan document for the wellness program to include language required by the HIPAA Rules and develop and implement other compliance documents and policies and procedures under the HIPAA Rules. One option is to amend any existing compliance documents and policies and procedures in place under the HIPAA Rules for another self-insured group health plan (such as a major medical plan) to make them apply to the wellness program as well. If the wellness program is the plan administrator’s only group health plan for which it has compliance responsibility under the HIPAA Rules, the plan administrator should consult with legal counsel to develop and implement all necessary documentation for compliance under the HIPAA Rules.

 

 

 

 

 

 

 

 

You may be surprised to learn that those “extra” benefits your company offers to its employees such as your employee assistance program (“EAP”) and wellness program likely are subject to the HIPAA privacy, security and breach notification rules (collectively, “HIPAA Rules”). Part 1 covers why most EAPs are subject to the HIPAA Rules. Part 2 will discuss wellness programs. In both cases, EAPs and wellness programs must comply with the HIPAA Rules to the extent that they are “group health plans” that provide medical care.

As background, the HIPAA Rules apply to “covered entities” and their “business associates.” Health plans and most healthcare providers are “covered entities.” Employers, in their capacity as employers, are not subject to the HIPAA Rules. However, the HIPAA Rules do apply to any “protected health information” (“PHI”) an employer/plan administrator holds on a health plan’s behalf when the employer designs or administers the plan.

Plan administrators and some EAP vendors may not consider EAPs to be group health plans because they do not think of EAPs as providing medical care. Most EAPs, however, do provide medical care. They are staffed by health care providers, such as licensed counselors, and assist employees who are struggling with family or personal problems that rise to the level of a medical condition, including substance abuse and mental health issues. In contrast, an EAP that provides only referrals on the basis of generally available public information, and that is not staffed by health care providers, such as counselors, does not provide medical care and is not subject to the HIPAA Rules.

A self-insured EAP that provides medical care is subject to the HIPAA Rules, and the employer that sponsors and administers the EAP remains responsible for compliance with the HIPAA Rules because it acts on behalf of the plan.   On the other hand, for an EAP that is fully-insured or embedded in a fully-insured policy, such as long-term disability coverage, the insurer will have the primary obligations for compliance with the HIPAA Rules for the EAP. The employer will not be responsible for overall compliance with the HIPAA Rules for an insured EAP even though it provides medical care, but only if the employer does not receive PHI from the insurer or only receives summary health information or enrollment/disenrollment information. Even then, the employer needs to ensure it doesn’t retaliate against a participant for exercising their rights under the HIPAA Rules or require waiver of rights under the HIPAA Rules with respect to the EAP.

An EAP that qualifies as an “excepted benefit” for purposes of HIPAA portability and the Affordable Care Act (as is most often the case because the EAP is offered at no cost, eligibility is not conditioned on participation in another plan (such as a major medical plan), benefits aren’t coordinated with another plan, and the EAP does not provide “significant benefits in the nature of medical care”) can be subject to the HIPAA Rules. In other words, just because you’ve determined that your EAP is a HIPAA excepted benefit doesn’t mean the EAP avoids the HIPAA Rules. Most EAPs are HIPAA excepted benefits, yet subject to full compliance with the HIPAA Rules.

Employers/plan administrators facing unexpected compliance obligations under the HIPAA Rules because of a self-insured EAP that provides medical care will need to enter into a HIPAA business associate agreement with the EAP vendor, amend the EAP plan document to include language required by the HIPAA Rules and develop and implement other compliance documents and policies and procedures under the HIPAA Rules. One option is to amend any existing compliance documents and policies and procedures under the HIPAA Rules for another self-insured group health plan to make them apply to the EAP as well. If the EAP is the plan administrator’s only group health plan for which it has compliance responsibility under the HIPAA Rules, the plan administrator should consult with legal counsel to develop and implement all necessary documentation for compliance with the HIPAA Rules.

Text messaging is a convenient way for busy doctors to communicate, but for years, the question has remained: are doctors allowed to convey sensitive health information with other members of their provider team over SMS? The answer is now “yes,” thanks to a memo published last week by the U.S. Department of Health & Human Services (HHS), Centers for Medicare & Medicaid Services (CMS).   The memo clarifies that “texting patient information among members of the health care team is permissible if accomplished through a secure platform.”

However, texting patient orders is prohibited “regardless of the platform utilized” under the CMS hospital Conditions of Participation or Conditions of Coverage, and providers should enter orders into an electronic health record (EHR) by Computerized Provider Order Entry (CPOE).

According to the memo, CMS expects providers and organizations to implement policies and procedures that “routinely assess the security and integrity of the texting systems/platforms that are being utilized” to avoid negatively affecting patient care.

What’s interesting about the CMS memo is that texting on a cell phone has become as routine (if not more routine) as speaking into a cell phone – and HHS published guidance way back in 2013 explaining that the HIPAA Privacy Rule permits doctors and other health care providers to share protected health information over the phone. Telling a 21st century doctor not to communicate by text message (within the proper HIPAA parameters, of course) is like telling the President he can’t communicate on Twitter.

CMS’s restriction on texting patient orders appears to relate to concerns about medical record accuracy, not privacy and security. “CMS has held to the long standing practice that a physician … should enter orders into the medical record via a hand written order” or by CPOE, “with an immediate download into the … [EHR, which] would be dated, timed, authenticated, and promptly placed in the medical record.”

I asked a couple of IT security experts here at Fox how a provider or organization would go about “routinely assessing the security and integrity of the texting systems/platforms” being used by doctors. According Fox partner and Chief Privacy Officer Mark McCreary, CIPP/US, the provider or organization might want to start by:

“… receiv[ing] and review[ing] their third party audits and certifications.  Most platform providers would make those available to customers (if not the public).  They like to tout their security.”

Matthew Bruce, Fox’s Information Security Officer, agreed:

“That is really the only practical way to routinely assess. SMS, which is standard text messaging, isn’t secure so it would likely require the potential use of third party app like Signal.  iMessages are encrypted and secure but only between iPhone users. Both companies should publish their security practices.”

So, providers or organizations participating in Medicare can (continue to) allow doctors to communicate (but not enter treatment orders) by text, but should periodically review the security of the texting systems or platforms the doctors are using. They may also want to remind doctors to make sure they know when and how to preserve text messages, whether by taking screen shots, using an SMS backup app, or some other method.