Is Your Text Messaging HIPAA Compliant?
It’s been a busy day, with no reprieve in sight. You take a moment to text a cardiologist you work with on occasion, requesting a consult on patient John Smith. You get a reply of “???”. Oops. The doctor changed his phone number and now some college student just received your message about John Smith’s arrhythmia.
The benefits of text messaging are obvious. Fast, efficient communication that’s easy to use is
incredibly important in healthcare. However, the pitfalls and risks associated with texting are equally as important. Here are some items to keep in mind when evaluating how your practice uses text messaging.
Does the Message Contain PHI?
This is the central question to consider. If your text message contains information relating to a patient’s health and can that data can be “individually identifiable”, then it can be considered PHI. Data is individually identifiable if it contains the patient’s name, date of birth, a unique identifying number or one of the other 18 identifiers outlined by the US Department of Health.
Technology, such as text messaging, that is used for accessing, transmitting, or receiving PHI electronically is covered by the HIPAA Security Rule. If your text contains ePHI, the Security Rule requires reasonable and appropriate administrative, physical and technical safeguards.
Managing these safeguards on text messaging can be difficult. As illustrated in the opening example, you cannot ensure the recipient of your text is whom you intended. Numbers can change, phones can be lost or stolen, and text messages can easily be read by others with access to the phone. Often overlooked details can put your practice at risk. For example, text message alerts display the first lines of content automatically, and can be read without entering the phone’s passcode. The threats to PHI in text messages are numerous and quite likely.
To avoid texting ePHI, some providers may omit data that is individually identifiable from their message. While this is a prudent choice, discussing a patient’s condition and treatment without being able to identify the patient holds its own set of risks. The potential for confusion and mistakes rises and text messaging becomes a less effective form of communication.
To better manage compliance and communication, include text messaging in your organization’s overall risk analysis and management strategy. Determine what information is acceptable to text and train staff accordingly. Keep an inventory of mobile devices (both personal and provider-owned) and ensure devices are using passcodes and encryption.
Consider using a vendor supplied secure text messaging app. These apps allow HIPAA and HITECH compliant text message style communication and are compatible with most smartphones and tablets. ePHI can be sent to contacts inside and outside your organization, using the app. Your answering service may also use it to communicate detailed information to the on-call physician. When choosing a secure messaging vendor, determine if a business associate contract will be needed and if so, ensure they will sign one.
As smartphones and mobile devices become increasingly prevalent in practicing medicine, it’s time to explore how you and your organization use text messaging. Through planning and partnership, it’s possible to keep the value of text messaging and lower your risks.
Katie Fleming is Business Development Manager at Rapid City-based Golden West Technologies.