Text messaging is pervasive.  Doctors and other health care providers, covered entities, and business associates currently use (and embrace) the technology.  Texting is easy, fast and efficient.  It doesn’t require a laptop and can operate even where wireless signals are low.  It doesn’t require you to scroll through your email inbox or retrieve your voicemail.

All of this convenience is coupled with compromise, leading to security risks that can be difficult to manage.

There is the obvious risk of unauthorized access to protected health information.  For example, unless preventive measures are employed:

  • anyone with access to the mobile device will have access to the text message
  • the text can be accessed when the device is lost, stolen, or even when it is returned or recycled
  • the protections implemented by IT/IS departments of covered entities and business associates, such as firewalls, may not cover texts, which can be intercepted and decrypted

Further, HIPAA is not just about protecting information. HIPAA also requires access – patients and their authorized representatives have the right to access certain PHI.  When text messages are used in patient care decision-making, there is a potential risk of noncompliance if the provider is not able to accommodate the individual who requests access to their record.

How should texting be addressed?  There is no single, easy answer.  At a minimum, to satisfy the HIPAA-required risk analysis and management, a covered entity or business associate should include an analysis of mobile phones and other devices on which PHI is created, received, maintained or transmitted.  This includes texts.

The safeguards an organization puts into effect as security controls will depend, in part, on the size of the organization, its technical capabilities, existing infrastructure, costs, and other factors.  Below are some mechanisms that could be considered – these are not requirements but they are measures that some organizations have adopted after performing a risk analysis:

  • Adopt policies requiring deletion of all texts within a period of time
  • Use technology that can wipe the information or remotely disable mobile phones if lost or stolen
  • Encryption and password protection
  • Provide policies or guidelines limiting the type of information that texts should contain (for example, not using patient names or other identifiers)
  • Switch to secure messaging applications
  • Require that texted PHI be added to the medical record, and provide a mechanism for this
  • Train workforce members on texting policies and procedures of the organization
  • Impose sanctions for workforce members that violate the policies

Organizations may identify different levels of risk and institute different types and levels of controls.  Some covered entities and business associates reduce the risk by prohibiting texting completely.  Some institute safeguards such as the ones listed above.  Others have not yet formally addressed the risks of texting.  More likely, they have thought about the risks but have not yet decided what their approach will be.

Implementing controls related to texting can be difficult for an organization.  The important thing is to take affirmative steps right now to analyze the risk and manage texting, rather than considering the risks and implementing appropriate controls only after a problem develops.  The U.S. Department of Health and Human Services offers suggestions regarding mobile devices on its HealthIT.gov website.