Text Messaging and HIPAA
Michelle Bilsky, CHCO, LHRM, MLA, CBA // April 07, 2017
Text messaging has become popular in the health care field, permitting providers to multitask and to communicate more quickly than with phone calls. Despite these benefits, health care providers should be aware of the potential consequences under HIPAA and the HITECH Act (collectively, “HIPAA”) of permitting staff to text patient information. “Text messaging” encompasses any communication service or application that enables transmission of electronic written messages between two or more mobile devices.
Many health care providers have not developed policies that recognize and address the risks posed by text messages. Notably, text messages create electronic records of the content of conversations while phone calls do not. In fact, to the extent that text messages contain individually identifiable patient information anywhere in the string of texting about a specific patient, text messages create electronic protected health information (ePHI) that is stored as electronic media on the smartphone. This ePHI is subject to the same privacy and security standards as the full electronic health records (EHR) maintained on hospital and health care organizations’ servers.
I. Requirements of HIPAA and HITECH
HIPAA requires that health care providers maintain the confidentiality, integrity, and availability of all ePHI created, received, maintained, or transmitted by a covered entity. The HIPAA privacy rule limits provider disclosure of ePHI only to authorized individuals and entities, and enumerates the reasons for which providers may or must disclose PHI or ePHI. The HIPAA security rule requires providers to protect PHI or ePHI from any threats to access and potential disclosure to unauthorized persons, and requires providers to have a breach notification plan of action if an unauthorized disclosure occurs. For ePHI, these security standards typically require, among other steps, encrypting ePHI, storing ePHI on a secure network, authenticating receivers of information, and implementing protocols for destruction or permitted alteration of ePHI.
Unfortunately, it is difficult to see how text messaging of ePHI can meet the requirements of the HIPAA security rule for most health care providers and organizations. Traditional SMS messages are not encrypted, texts may stay on a telecommunication provider's server for indefinite periods of time, and there is no way to authenticate the recipient. Text messages do not provide the same opportunity for voice identification between health care providers, and it is possible for any person with access to a health care provider’s mobile device to view or reply to a message instead of the intended recipient. Text messaging services also offer little protection from the most significant danger to the privacy and security of texted ePHI: the unintended recipient. In the case of an unintended recipient, not only could the recipient view the information, but the receiver may also forward it to others. There are new text messaging applications that link directly to EMR’s to document and delete the texts in a HIPAA compliant manner. There are also HIPAA compliant texting services/apps but these still do not document the text so if it contained IIHI then storage for the correct number of years or transfer to EMR is required under the law.
Text messaging ePHI to unintended recipients likely constitutes a HIPAA breach. HITECH defines a breach as any access, use, or disclosure to an unauthorized individual except where it is clear the unauthorized individual would not have been able to access the information. Notably, the latest rules presume that any unauthorized disclosure is a breach and requires reporting to the HHS Office of Civil Rights (“OCR”) unless there is a documented low probability that the PHI was compromised. There are some exceptions to this rule (see our advice on Breach reporting for more info on this topic).
Even if a health care provider determines that it is not a breach it is doubtful that most popular text messaging services can make available the ePHI transmitted. For example, following a detailed message from a nurse about the condition of a patient, a doctor may issue an order via a reply message. In what may be a brief exchange, the nurse’s message and the doctor’s texted reply have become ePHI. Because the recorded conversation is now ePHI, it must be made available in the patient’s medical record. Unless the text messaging application integrates with an EMR system and associates the exchange with the correct patient record, preserving future access to the texting record seems next to impossible. This is a core issue on potential claims and discoverability as well as compliance with the medical records request if a patient asks for their full medical record, potentially causing another HIPAA violation.
II. Other Considerations
Concern over text messaging within health care organizations has grown in areas outside HIPAA compliance. For example, the Joint Commission for Physician Accreditation has stated that it is not acceptable for physicians or other health professionals to text or give verbal orders for patients to hospitals or other health care settings. The Commission advises that any text or verbal orders must be followed up by the provider by entering the order into the hospital or other health care setting patient record.
In addition, you must make sure that your policy and procedures specifically outline your texting policy and that everyone follows that policy.
- Health care organizations should first determine the extent to which text messaging may be in use among providers.
- Organizations should then develop appropriate policies, procedures, and training to prevent inappropriate uses of text messaging services.
- Although traditional SMS and popular text messaging services are unlikely to meet the privacy or security requirements as identified in a HIPAA risk analysis, there are other options available that may provide the benefits of text messaging in a HIPAA compliant manner.
Programs for HIPAA compliant emails of ePHI are already in use by providers. These programs use secure attachments and require the recipient to sign in with a password before viewing sensitive information. Similar to these email programs, third party texting services can help providers ensure compliance with the HIPAA security rule.
Most importantly, a few secure texting apps allow health care organizations to integrate their EHRs with the secure texting program, permitting users both to attach information from the EHR to their messages and to add information to the EHR based on their text conversations. Health care organizations that choose to consider a secure texting platform should keep in mind the three requirements for securing PHI: confidentiality, integrity, and availability. Any platform chosen must satisfy all three elements.
An alternative to third party text servers may be facility policies and staff training that permit limited uses of text messaging that do not include PHI or other confidential information (such as quality assurance and performance improvement communications). For example, an organization may develop a protocol that permits nurses to text requests for attending physicians to call them back within a specific timeframe, depending on the urgency of the matter.
Although texting has become an efficient method of clinical communication, now is the time to determine whether current practices comply with HIPAA requirements. Health care organizations should consider reviewing or drafting policies to prevent future privacy concerns and work closely with their network of health care providers to ensure that the entire health care team understands the expectations for appropriate text messaging.