Rules of the Road for Texting Patient Information

September 8, 2016

Are you texting a fellow provider or a patient? Here is what you should know with regards to HIPAA and compliance.

As frequent communication via text has become more and more prevalent, physician practices are examining their current procedures in regards to this kind of communication in order to accommodate a new generation of younger physicians. A recent change in policy by the Joint Commission, as well as recent enforcement actions by the Office of Civil Rights (OCR), has further prompted the need for such a review.

The Joint Commission recently announced a change in its policy whereby it will allow providers to communicate patient orders via text message. The policy applies to all Joint Commission accreditation programs. While the change in policy by the Joint Commission provides added flexibility to physicians, there are several things that should be considered prior to adopting texting practices on a day-to-day basis.

The Joint Commission's new policy allows physicians to text orders, as long as it is done in accordance with applicable professional standards of practice, laws, regulations, policies, and procedures. Further, a secure text messaging platform must be used by the physician. A secure text messaging platform is one that includes the following features: a secure sign-on process, encrypted messaging, delivery and read receipts, a date and time stamp, customized message retention time frames, and a specified contact list for individuals authorized to receive and record orders. Standard text messaging through your "messages" app will not currently satisfy these requirements, so an additional application will need to be installed and used.

In addition, any platform used for texting patient information will need to comply with the requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health, and their implementing regulations. For example, a risk analysis must be conducted with respect to any electronic system storing or transmitting patient information, including applications on mobile devices. Recent enforcement actions by OCR highlight the importance of conducting a risk analysis.

The most recent enforcement action involved a $5.55 million settlement with Advocate Health Care Network. While the breach did not specifically relate to the texting of patient information, OCR Director Jocelyn Samuels stated in a related press release, "We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals' ePHI is secure. This includes implementing physical, technical, and administrative security measures sufficient to reduce the risks to ePHI in all physical locations and on all portable devices to a reasonable and appropriate level." In addition, risk analysis and risk management is one of only a few audited items in the recent Phase 2 HIPAA desk audits, implying that this is currently an important focus of OCR.

In light of these recent events, physician practices that allow the text messaging of patient information should take the following steps:

• Research text message platforms to ensure compliance with the Joint Commission requirements (if texting patient orders) as well as HIPAA.

• Once selected, obtain a Business Associate Agreement with the platform vendor if the vendor has the capability to access patient information.

• Develop a risk management strategy and conduct a risk assessment. This is a "must" anytime you have an electronic system transmitting or maintaining patient information.

• Revise your HIPAA Compliance Plan to allow the texting of patient information and draft your policies and procedures accordingly.

• Define through policy when texting information is or is not appropriate and the procedures for utilizing text messages. For example, specify how text message orders will be dated, timed, confirmed and authenticated by the ordering provider.

• Define through policy how to document information sent via text message in the patient's medical record. Assuming the capabilities from a technology standpoint are available (and they are through certain systems), the secure text messaging platform may integrate directly with the electronic medical record, thereby avoiding the need for additional entry and/or work by the providers.

• Educate providers on applicable policies and procedures.

• Develop a provider attestation documenting the capabilities of the secure text messaging platform and requiring physicians to agree to the practice's policies and procedures regarding text messages.

• Monitor the frequency of use.

• Routinely assess compliance by providers with your texting policies and procedures, and adjust your policies and procedures accordingly.

If implemented properly, allowing the use of text messages within your practice should free up valuable time for physicians and improve outcomes for patients. However, the benefits that stem from the use of text messaging must be achieved in a manner that protects and secures patient privacy.

Kelli Fleming is a partner with Burr & Forman LLP (Birmingham, Alabama) who works exclusively within the firm's Health Care Practice Group. She represents various health care clients, including hospitals, surgery centers, physician practices, diagnostic centers, and home health care and hospice agencies. She may be reached at (205) 458-5429 or by email at kfleming@burr.com.