Text messaging is the new email and is common in health care. Providers are texting both patients and other providers about patient care. While texting offers benefits in terms of ease, quickness and flexibility, text messages that include protected health information (PHI) raise concerns about the privacy and security of the information. Is the texted information secure and HIPAA compliant?
Both OCR and CMS have raised concerns about texts with patient information. HIPAA permits transmission of PHI by electronic means provided that the transmission is secure. OCR has acknowledged the benefits of texting by health care organizations, but has identified concerns and has indicated that it intends to issue guidance on texting in the near future. In late 2017, CMS issued a memorandum to State Survey Directors providing that texting patient information among health care team members is permissible if conducted on a secure platform, but that texting of orders by health care providers is not permissible. Specifically, the CMS memorandum states that health care providers must use systems or platforms for texting that are “secure, encrypted, and minimize the risks to patient privacy and confidentiality” per HIPAA regulations and conditions of participation or conditions for coverage.
Health care providers who use text messages to communicate patient information either with patients or other health care providers should do so only if they can be assured that the text message is secure and the transmission is HIPAA compliant. HIPAA requires, among other things, that the provider (1) limits access to PHI to authorized users who need the information to do their jobs; (2) monitors access of users to the mobile device and text; (3) authenticates the authorized users; and (4) implements policies and procedures to prevent inappropriate alteration or destruction of PHI. In addition, OCR recommends encryption when PHI is transmitted outside the organization in any electronic form, including texting.
Texting, without added security measures, will not comply with these HIPAA requirements. Individuals sending text messages have no control over the final destination—the telephone number could be wrong or the text forwarded by the recipient to others. Text messages typically don’t require a password and remain on mobile devices indefinitely, increasing the chance for unauthorized disclosure in the event of a theft, loss or reuse of the device. Text messages may be encrypted but decryption of a text is fairly easy. Texting is not typically monitored or controlled by the provider’s IT department and text messages cannot be “erased” by remote action if there is a loss of the device.
Texting patient information is not prohibited by HIPAA and can be beneficial for both the patient and provider. But, texting patient information is also risky for both the patient and the provider. Providers who wish to text with patients or other providers should take steps to strengthen the security of both the mobile device used for the text and the transmission of the text. This means adding additional levels of security to the mobile device, such as password protection, encryption of the text message and periodic deletion of texts or transfer of the text message to the patient’s medical record. Providers should communicate the risks to patients and ensure that patients have the option to choose not to receive personal information by text. Providers should also adopt policies and procedures specific to text messaging and make appropriate changes to their Notice of Privacy Practices.
To sign up for Dykema’s Health Care Blog e-mail updates, please click here.