Text messages between medical practices and patients are a great way to violate HIPAA - unless you take very specific precautions.
Sending text messages has become a common method of communication among teenagers, adults, and more recently medical professionals. Physicians are discovering that texting provides a quick and efficient way to communicate with colleagues, patients, and office or hospital staff. A recent survey by QuantiaMD of 38,000 physicians found that approximately "83 percent of physicians own at least one mobile device and about one in four doctors are 'super mobile' users who leverage both smartphones and tablet computers in their medical practices."
As patients and healthcare providers increasingly use mobile devices to communicate with each other, concerns are raised about the security of electronic protected health information (e-PHI). The HIPAA Security Rule allows healthcare providers to communicate electronically with patients but it also outlines standards to protect individuals' e-PHI with appropriate safeguards covering confidentiality, integrity, and security of e-PHI. This article focuses on the security issues raised by texting of e-PHI between healthcare providers, or provider and patient, and how unsecure texting may violate the HIPAA Security Rule and create liability for healthcare providers.
As a general rule, texting of e-PHI by healthcare providers is strongly discouraged by the Cooperative of American Physicians, in their advice to member physicians. Texting, or short message service (SMS) messaging, is non-secure and noncompliant with HIPAA standards because data stored on personal mobile devices is not encrypted, and is usually stored on the computer's hard drive or on a smartphone SIM card or memory chip. The lack of encryption and the easily accessible storage methods allow any e-PHI communication on a mobile device to be retrieved and shared by anyone with access to the mobile device. This means that messages containing e-PHI can be read by anyone, forwarded, remain unencrypted on phone company servers, and remain forever on the sender and receiver's phones.
Another reason why physician-patient texting is discouraged is that standard texting/SMS formats limit the message to 160 characters. This limited text field may cause critical information or options to be eliminated. According to a recent policy statement from the American College of Physicians and the Federation of State Medical Boards, physicians should understand text messaging is "not analogous to e-mail because of its abbreviated format and the greater possibility of missed messages." Physicians are urged not to use text messaging even with established patients, "except with extreme caution and with patient consent."
Lastly, text messages cannot be authenticated. Senders cannot be certain that the message has been sent to and opened by the right person. Studies have shown that 38 percent of people who text have sent a text message to the wrong person.
The inherent cost of e-PHI breaches in light of increased regulations and enforcement make it a priority for physicians to assess their privacy and security policies concerning mobile devices. Physicians can protect sensitive patient information in a variety of ways. The HIPAA Security Rule requires a covered entity to implement three types of safeguards for e-PHI: administrative (policies and procedures to protect e-PHI), physical (typically physical measures to protect electronic information and the equipment it resides on), and technical (such as specific technology employed to protect e-PHI).
Administrative safeguards include but are not limited to the following:
• Risk assessments. Conduct periodic risk assessment of your mobile device.
• Missing device policies. Implement policies and procedures which address what to do when a mobile device is lost or stolen.
• e-PHI procedures. Have a plan regarding retention and/or destruction of electronic communications.
• Training. Educate staff on the need to protect e-PHI.
• Security policies. Institute policies to protect e-PHI through use of encryption or implementation of other security measures found below.
Some technical safeguards include but are not limited to the following:
• Encryption. Many mobile devices can be encryption-enabled with proper programming. The use of encryption creates an exemption from HIPAA fines.
• Auto-lock. Configure the auto-lock screen to appear after a brief time of inactivity has passed.
• Wi-Fi connection. Enable Wi-Fi network security (WPA-2). Mobile devices that use public Wi-Fi or unsecured cellular networks to send and receive information risk exposing e-PHI. Unless mobile device users connect to a secure website to transmit data, or connect using virtual private networking (VPN) which encrypts data to and from the mobile device, there is a risk e-PHI could be compromised.
• Passwords. Create a complex password on the device with a combination of uppercase and lowercase letters, symbols and numbers.
• Storage. Only store e-PHI on these devices when absolutely necessary for business purposes and delete it as soon as feasible. Set a policy to save e-PHI on your mobile device for no more than on month.
Some physical safeguards might include:
• Remote wipe. Set the remote wipe feature so it can be activated if the wireless device is lost.
• Inventory. Keep an inventory of personal mobile devices used by healthcare professionals to send or receive PHI.
• Radio frequency identification (RFID). Install RFID tags on mobile devices to help locate is lost or stolen.
As patients and clinicians increasingly use mobile devices to communicate with each other, it is important that covered entities perform a risk assessment and establish safeguards, as above, to protect patient confidentiality and e-PHI.
Ann Whitehead, RN, JD, is a vice president of risk management & patient safety department for The Cooperative of American Physicians. A registered nurse and licensed attorney, Whitehead has developed and conducted risk management and patient safety education presentations for physicians, residents, office managers, and risk managers. E-mail her here.
The information contained within this blog, on this website, is made available for educational purposes to give general information, and not intended to provide specific legal advice for individual circumstances or legal questions. By using this blog site you understand that reading this post does not establish attorney-client relationship between you and the author (attorney) or her company. Furthermore, this blog is not a substitute for legal advice from an attorney, and you should not act upon information contained in the blog without seeking the advice of a professional attorney in your state.