Skip to main content
HIPAA Privacy & Security Compliance

HIPAA Privacy & Security Compliance: Think B4 U Send Text Messages

Provider-to-provider and provider-to-patient text messaging continues to increase. The risks and penalties associated with HIPAA violations are also on the rise.  

 

The risks associated with sending electronic protected health information (ePHI) via unencrypted text messaging are significant, especially given the climate of rising enforcement of compliance as it pertains to HIPAA and HITECH. However, there’s high demand among healthcare providers to use text messaging as a fast, convenient way to communicate and collaborate with both patients and colleagues. So, what gives? This article will discuss how clinicians can protect themselves when texting with their peers about patients and when texting with patients about their protected health information (PHI).

The Texting Reality 

Texting within the healthcare space is commonplace among providers, with good reason. It’s an excellent way to communicate and touts convenience, expedience, and the ability to enhance patient care by connecting with other clinicians quickly. Besides texting about patients, providers are also texting with patients, with positive results. In one study where doctors used texting or email for perioperative messaging, 94% of family/friends felt more connected to their loved ones during surgery, with 90% of patients reporting an improved hospital experience.1 Yet, security-wise, there are many risks for breach of PHI. Additionally, there are multiple ways in which instant messages are shared in addition to texting through one’s cell phone. These include platforms such as WhatsApp, Facebook Messenger, QQ Mobile, WeChat, Skype, Viber, Line, and Blackberry Messenger, among others.2 Moving forward, we will see continued expansion of texting and other digital messaging in healthcare settings. However, HIPAA security concerns are not receiving prime consideration. In one study, only 5% of physicians routinely used HIPAA-compliant text applications, regardless of their training level.3 This leaves practitioners open to HIPAA violations as well as potential malpractice if the information in texts is used to make treatment decisions. Research has indicated that reported barriers to HIPAA compliance in texting include inconvenience (58%), lack of knowledge (37%), unfamiliarity (34%), inaccessibility (29%), and habit (24%).3 For some time, the Joint Commission disallowed text messaging among healthcare providers under its jurisdiction, but recently revised its position to allow texting with certain restrictions. These restrictions include that a secure messaging platform must be implemented that contains the following:

  • secure sign-on process,
  • encrypted messaging,
  • delivery and read receipts,
  • date and time stamps,
  • customized message retention timeframes, and
  • specified contact list for individuals authorized to receive and record orders.4 

Addressing HIPAA Regulations

While these rules provide some solid guidance, they do not address HIPAA security regulatory concerns. Organizations must have policies and procedures that address the security regulations, including administrative, physical, and technical safeguards (Code of Federal Regulations [CFR] 45 164.316). If texting involves PHI, policies and procedures about its use must be documented. To understand how texts and other digital-messaging platforms must be evaluated under HIPAA regulations, they must be included in an organization’s security-risk assessment. This process includes performing a risk analysis on how texting may put patient PHI at risk, finding ways to manage that risk, and including a sanction policy if providers violate the texting policies and procedures (CFR 45 164.308[a][1]). Some considerations regarding texting and other forms of digital messaging are:

  • If texts reside on a mobile device indefinitely, there’s risk of exposure to unauthorized third parties via theft, loss, disposal, or recycling of the device.5
  • Texts are generally not monitored by an organization’s information technology (IT) department, leaving a risk of interception by an unauthorized person,5 as well as potential malware.
  • Using a cell phone on a public domain network increases risk of exposure of the ePHI transmitted from the device.6 
  • There may be a lack of authentication in that, without proper access protection, anyone may access the PHI,5 risking inappropriate disclosure, alteration, or destruction of ePHI.
  • Improper disposal of the device.5
  • The ePHI is unavailable to other providers if it’s needed.5
  • Text messages may also reside on workstations or cloud computing in addition to the cell phone.
  • ePHI stored on the phone is stored on the on-board memory, but can also be stored on the Subscriber Identity Module card, where it will likely remain.7
  • Some messages are stored online as a convenience to the subscriber.7
  • The privacy rule provides patients or their representatives rights to access and amend PHI about them that is maintained in the designated record set (DRS). Any information that is used to make treatment decisions (in whole or in part) must be entered into the DRS.5

An organization’s security-risk analysis should result in policies and procedures that include attention to:

  • Defining and limiting the type of information that may be shared via text.
  • Training of workforce on the proper use and circumstances of texting. 
  • Using a secure platform with password protection and encryption.
  • Maintaining an inventory of all mobile devices that text ePHI (both organizationally owned and personally owned).
  • Developing a process by which texts with ePHI will be entered into the DRS.5
  • Defining policy regarding retention and deletion of texts.
  • Including a notification to the workforce that the organization can legally search an employee’s mobile device when there is suspicion that HIPAA regulations are being violated.
  • Having a clear sanction policy for improper use or disclosure of ePHI via a mobile platform.6
  • Disallowing highly sensitive ePHI being communicated via text.
  • Defining how ePHI will be removed or destroyed from a device. 
  • Traditional texting does not allow for centralized audit controls via IT departments.5

Also note that patients have the right to request that communication be made via text. Under CFR 45 164.52, individuals have the right to request alternative means of communication from their healthcare providers in order to ensure confidentiality. Examples of the types of communication to which this policy may apply include (but are not limited to): 

  1. appointment reminders,
  2. billing statements,
  3. pre- or post-treatment/procedure calls,
  4. sending test results, and
  5. prescription refill reminders.  

When a patient requests this alternative means of communication (ie, text messaging), requests must be in writing and are required to be accommodated. Additionally, providers must explain to the patient about the risk of using the alternative communication, such as text messaging. Typically, including this explanation in the written request that the patient signs will codify this requirement. While it can be extremely expedient and convenient to text about or even text with patients, texting does carry risks of HIPAA violations and HITECH regulations. Texting can also increase malpractice risks when messages about treatment decisions are not included in the DRS. As outlined in this article, there are various ways providers or organizations can decrease their risks when employing texts in patient care. It’s incumbent upon the professional to balance convenience and expediency of texting with protecting patient care and privacy. 

Roger Shindell is chief executive officer of Carosh Compliance Solutions, Crown Point, IN, which specializes in HIPAA compliance consulting for small to midsize practices and their business associates. He is also chairman of the HIMSS Risk Assessment Work Group and a member of the American Health Information Management Association’s privacy and security council. Shindell has more than 30 years of multidisciplinary experience in healthcare and has served as an advisor and principal in healthcare, technology, and service companies. He may be reached at rshindell@carosh.com.

References

1. Gordon CR, Rezzadeh KS, Li A, et al. Digital mobile technology facilitates HIPAA-sensitive perioperative messaging, improves physician-patient communication, and streamlines patient care. Patient Saf Surg. 2015;9(21)1-7.  

2. Most Popular Mobile Messaging Apps Worldwide as of April 2016, Based on Number of Monthly Active Users (in Millions). Statistica. Accessed online: www.statista.com/statistics/258749/most-popular-global-mobile-messenger-apps

3. McKnight R, Franko O. HIPAA compliance with mobile devices among ACGME programs.  J Med Syst. 2016;40(5):129.  

4. Update: Texting Orders. The Joint Commission. 2016. Accessed online: www.jointcommission.org/update_texting_orders

5. Greene AH. HIPAA compliance for clinician texting. J of AHIMA. 2012. 83(4):34-6.  

6. McCartney P. Texting protected health information in healthcare. MCN Am J Matern Child Nurs. 2015;40(1):61.  

7. Stein B. HIPAA & Text Messaging Security White Paper. 2015. Brooklyn, NY. Mobile Commons.  

HIPAA Privacy & Security Compliance
Roger Shindell, MS, CHPS, CISA
PDF
/sites/default/files/TWC_0217_Shindell.pdf
Back to Top