Physician Practices and Smart Electronic Communications

I once worked in a medical practice where the doctor gave his personal cell phone number to everyone. Patients, supply and drug representatives, employees, all were able to contact the doctor directly. He was proficient with texting, so in addition to phone calls he got electronic text messages. Sometimes those messages were personal, but sometimes they were medical in nature. The stereotype that all physicians shun technology is changing as younger docs come onboard. Indeed, technologically savvy patients may shun physicians who don't offer electronic access.

However, giving patients a doctor's personal phone number can raise a number of warning flags. The one I want to address here is the risk involved with conducting medical discussions through a cell phone. Since a single violation for unsecured communication can result in a fine of $50,000, and repeated violations can lead to $1.5 million in fines in a single year, it is critical that practices take protective measures to secure patient communications.

Some sources say the practice of electronic messaging is OK if the patient initiates it because he is implicitly agreeing to a method of unsecured communication. My thought on that stance is that patients may not understand their rights to security, or realize that their phone is not as secure as they think it is.

While there are obvious advantages to using texting as part of a fast, direct, and simplified form of healthcare communication and delivery, the traditional SMS (text) message is fundamentally flawed in terms of HIPAA compliance. Electronic messages containing protected health information (PHI) can be read by anyone, forwarded to anyone, and remain on the telecommunication provider's server and the sender/receiver's phones. Some smartphones are more secure than others, but recent news regarding NSA retrieving smartphone data has been a good reminder that very few systems are foolproof. Additionally, senders cannot confirm the recipient of the message. Studies have shown that 38 percent of people who text have sent a message to the wrong person, according to a blog post by Power Your Practice.

Medical malpractice insurer The Doctors Company provides guidance for physicians who are thinking of texting patients in the article "Text or Not to Text." Additional guidance can also be found at the HIPAA Collaborative of Wisconsin's privacy and security resource. Here are some key security points to build into your practice's security policy:

• Have a policy that forbids storing data on mobile devices. Set smartphones to automatically erase messages.

• Enable built-in functionality such as passwords that control access to mobile devices.

• Use the smartphone's encryption software. Encryption software can be activated by a step as simple as setting a password. For example, the iPhone can be set to erase your data after 10 failed attempts to crack the passcode, as long as the "erase data" feature is enabled in settings.

• Do not text orders. There is no verification of the sender's identity, and no way to incorporate the order into the medical record. In addition, using enough PHI to safely identify the patient creates more layers of risk.

• Ensure accuracy. Be careful that information exchanged is accurate and that the message goes to the intended party.

• Have policies regarding texting. Outline the acceptable types of text communication.

We need to face the fact that in this day of easily accessible technology, physicians will text. It is up to us as medical practice executives to make sure that it is done as safely as possible; even if it means making regular audits of physician phones to make sure that the safeguards are active and being used.

Beth A. Balen, MBA, FACMPE, has over 25 years of experience in the healthcare field, including 17 years as an orthopedic practice administrator. She is currently living in Arvada, Colo., and works as an independent medical practice consultant. You can contact her at beth.balen@yahoo.com.