To Text or Not to Text
Texting is instantaneous, convenient, and direct. It makes pagers seem as outdated as carrier pigeons. Without appropriate safeguards, however, texting can lead to violations of the Health Insurance Portability and Accountability Act (HIPAA).
Physicians have embraced smartphone technology, with the vast majority using smartphones to communicate and to access medical information. The attractions are obvious: Phone applications put libraries full of information at users' fingertips, and drug alerts (such as PDR.net) are just a click away. Texting reduces the time waiting for colleagues to call back and may expedite patient care by facilitating the exchange of critical lab results and other necessary patient data.
Safeguard Against HIPAA Violations
The very convenience that makes texting so inviting may create privacy and security violations if messages containing protected health information (PHI) are not properly safeguarded. Text messages among colleagues should be encrypted and exchanged in a closed, secure network.
However, according to a member survey by the College of Healthcare Information Management Executives, 96.7 percent of those surveyed allowed physicians to text, and 57.6 percent of those organizations surveyed did not use encryption software. The underlying reason for poor compliance with encryption could be the lack of technical knowledge or a desire to avoid the inconvenience of sending a message to someone who may not be able to unencrypt it.1
With penalties up to $50,000 per HIPAA violation, safeguarding texts should be of utmost priority. In addition to encrypting texts, consider installing autolock and remote wiping programs. Autolock will secure a device when it is not in use and requires a password to unlock it. Wiping programs can erase data, texts, and e-mail remotely. Both types of safeguards provide additional protection in the event a device is lost or stolen.
In December 2016, The Joint Commission issued a clarification regarding the use of secure text messaging for patient care orders.2 The recommendations, developed in collaboration with the Centers for Medicare and Medicaid Services, include the following:
- The use of unsecured text messing when sharing protected health information (PHI) is prohibited.
- Computerized provider order entry (CPOE) is the preferred method for submitting orders.
- Verbal communication should be used infrequently and only in the event that a CPOE or written orders cannot be submitted.
- The current prohibition on secure text messaging of patient care orders is continued.
Ensure Accuracy to Avoid Liability Concerns
Shorthand and abbreviations are commonly used in text messaging. The informal nature of text messages can increase the chances of miscommunication. It is important to ensure accuracy, particularly when patient information is exchanged over text. Additionally, deleted text messages can be retrieved, and metadata (the data behind the data) is also producible in a lawsuit.
Finally, texting cannot substitute for a dialogue with a colleague concerning a patient. If there is a critical matter or any doubt about the communication, it’s best to pick up the phone.
Take Steps to Protect Your Practice
Consider the following steps to safeguard your practice:
- Enable encryption on your mobile device.
- Have a texting policy that outlines the acceptable types of text communications and specifies situations when a phone call is warranted.
- Report to the practice’s privacy officer any incidents of lost devices or data breaches.
- Install autolock and remote wiping programs to prevent lost devices from becoming data breaches.
- Know your recipient, and double check the “To” field to prevent sending confidential information to the wrong person.
- Avoid identifying patient details in texts.
- Assume that your text can be viewed by anyone in close proximity to you.
- Ensure the metadata retention policy of the device is consistent with the medical record retention policy and/or that it is in accordance with a legal preservation order.
- Ensure that your system has a secure method to verify provider authorization.
- When conducting your HIPAA risk analysis, include text message content and capability.