Like everyone else, health care workers have become accustomed to the convenience of communicating by text message. Although using text messages can make communications more efficient in the health care setting, transmitting protected health information (PHI), including photographs, in text messages raises Health Insurance Portability and Accountability Act compliance risks. Some of the compliance risks include the following:
- Many people do not password-protect a mobile device, making it easy for another user to access PHI stored in texts. This access can occur when the device is shared, lost, or stolen.
- Text messages often are not encrypted, unlike e-mail.
- The use of personal mobile devices to send texts or photographs is common, unlike email, which most often is sent on work-issued computers or tablets.
- Text messages can remain on a mobile device indefinitely.
The U.S. Department of Health & Human Services (HHS) and the Office of the National Coordinator for Health Information Technology (ONC) have gathered tips to safeguard PHI when using mobile devices. They make the following suggestions about how to protect and secure information on mobile devices, which applies to developing a policy on transmitting PHI by text message.
- Use a password or other user authentication.
- Install and enable encryption.
- Install and activate remote wiping and/or remote disabling.
- Maintain physical control of the mobile device.
- Delete all stored health information before discarding or reusing the mobile device.
HHS and ONC have resources to assist in updating or developing policies for mobile device use. They recommend the following five steps for policy planning. These steps can assist health care organizations in developing a policy on using text messages to transmit PHI.
- Decide whether mobile devices will be used to access, receive, transmit or store PHI.
- Conduct a risk analysis to identify risks and perform a risk analysis periodically whenever there is a new mobile device, a lost or stolen device, or suspicion of compromised health information. After conducting a risk analysis, document:
- which mobile devices are used to communicate with your organization’s internal networks or system; and
- what information is accessed, received, stored, and transmitted by or with the mobile device.
In addition, organizations should review HHS “HIPAA Security Series: Basics of Risk Analysis and Risk Management” for guidance on conducting a risk analysis.
- Identify your organization’s mobile device risk management strategy, including privacy and security safeguards. The risk management strategy should include evaluation and maintenance of the mobile device safeguards you put in place.
- Develop, document, and implement your policy. HHS and ONC suggest that the organization consider the following:
- mobile device management, including identifying and tracking devices;
- whether personal mobile devices can be used and whether they can be used to connect to the organization’s internal network or system;
- whether the device can be used away from the organization;
- whether the device can be used to text;
- security/configuration settings on mobile devices;
- restrictions on information that can be stored on mobile devices;
- procedures for addressing misuse of mobile devices; and
- recovery and deactivation to wipe or disable lost or stolen devices or devices of employees who leave the organization.
- Provide training on mobile device use.