Five Ways to Ensure Secure Text Messaging in Your Medical Practice

August 27, 2014

Standard SMS text messaging is not encrypted, secure, or HIPAA compliant. Without taking proper precautions, texting with patients puts your practice at risk.

Texting is to this decade what e-mail was to the last. It's the "killer app" that people of all ages and demographics love. In fact, it's so endeared and easy to use that we regularly see physicians and staff sending text messages to patients, without recognizing or mitigating the risk. It's the rare practice that has developed text usage policies and procedures, or encrypted the mobile devices of physicians and staff.

Understand this: Standard "SMS" (Short Message Service) texting is not encrypted or secure. It's not HIPAA compliant. Without taking proper precautions, texting with patients puts your practice at risk for data breaches, security hacks, and HIPAA violations.

Ways that standard "SMS" text messaging falls short

• Unencrypted and unsecure

• Recipient cannot be verified

• No way to escalate high priority messages

• Patient texts are mixed in with personal contact texts on a mobile device

• Can't categorize or sort SMS text messages by type, only by recipient name

• Can't easily print or port to EHR, so pieces of the patient's record remain "outside" the chart

• No archiving capabilities

So take these five digital precautions, and improve your ability to safely text with patients.

1. Stop all texting until you put some rules in place

In a recent client meeting, we heard one surgeon casually mention that patients regularly text him photos of their post-op incision sites. His partners had no idea. Neither did the administrator. Your staff may already be texting patients. Physicians too. Ask everyone to pause their texting until you put some risk reduction policies in place and confer with an attorney. Politely inform your text-using patients that the hiatus is for their protection and privacy.

2. Encrypt all mobile devices

This is a simple step that most practices overlook. "Encrypting all mobile devices is good practice, whether you are texting with patients or not," according to healthcare attorney Michael Sacopulos, president of the Medical Risk Institute in Terre Haute, Ind. "But encryption software is especially important if you are texting patients because it reduces the risk of unauthorized parties accessing text and other data on a physician's or staff's mobile device." Implementation is straightforward and inexpensive. Sacopulos suggests security software such as Kaspersky, which costs $75 to $100 per year, per device.

3. Develop a text usage policy

Such a policy should include details such as who is authorized to send/receive text messages from patients, message response times, appropriate and inappropriate topics for text messaging, how a critical text will get escalated, how data from text messages is included in the patient record, and more. Use these "Guidelines for Developing a Text Messaging Policy" to drive this discussion, and work with a healthcare attorney to refine a policy that reflects the laws in your state. Then be sure everyone in the practice is trained to follow it.

4. Develop a "Statement of Understanding" for text-using patients

"This document should state that the patient has a choice about how they want to be communicated with," advises Sacopulos. "Text messaging is one option, but if the practice does not use a secure text messaging system, patients must understand the risks inherent in using unsecured messaging." These include: an inability to verify the recipient, no way to escalate an urgent message, and no secure archive for the messages, leaving open the potential for data breaches. Sacopulos recommends including a statement that lets patients know they can revoke the permission to text using an unsecured messaging system at any time. "Ask patients to review and re-sign the policy every 12 months."

5. Explore secure text messaging solutions

 "The risk exposure for using unsecured text is low compared to the risk exposure of having unencrypted mobile devices," says Sacopulos, adding that he is not aware of large-scale breaches that involve texting. "But just because the risk is low doesn't mean practices shouldn't move toward secure text messaging solutions," Sacopulos advises. "As more and more practices communicate with patients digitally, secure communications of all kinds will become more common and necessary."

Unlike standard SMS, secure texting is encrypted and messages are sent across a secure network. Messages are typically stored in the cloud on a secure, encrypted server - not on individual mobile devices. Messages can then be printed, ported to an EHR, archived, and stored for security audit and medical record management purposes.

Unfortunately, there are very few secure texting systems that enable communication between practices and patients. Most have been built for hospitals and health plans to enable secure texting and messaging between physicians and healthcare professionals within an enterprise. Several such options are Patient Reach Mobile, PingMD, and TigerText.

If, after implementing these five mitigation strategies, your attorney is still squeamish, purchase a cyber insurance policy. Such policies have been around for about a decade, but aren't widely known about or purchased. "Cyber insurance is a cost effective way to protect yourself against expenses related to data and privacy breaches and crisis management," Sacopulos says, "including the costs of remediation, patient notification and credit-check protection, legal costs, and fines." Contact your local insurance broker for details.

Cheryl Toth, MBA, is a practice leadership & implementation coach with KarenZupko & Associates. Cheryl brings 20 years of consulting, training, technology product management, and marketing to her projects. She can be reached at