How To Secure Text Messages in the Electronic Healthcare Environment

September 15, 2015

Originally published on iapp.org

Texting has become an increasingly common form of professionally acceptable communication. According to Bloomberg Big Number, eight-trillion text messages are sent every year. The International Telecommunications Union estimates that nearly 200,000 text messages are sent every single second. Text messages allow users to send brief, often abbreviated messages through their handheld devices without the burden of voice communication or sorting through volumes of email. Conducting a conversation via text can occur in real time or spread over minutes, hours, and days—allowing the conversation to continue around other activities. It's hardly surprising that this convenience in communication had also attracted members of the medical community. Physicians and healthcare staff use text messaging to facilitate communications concerning patient care. And while text messaging has significant benefits, many healthcare providers do not recognize the privacy, security, and malpractice risks posed by text messaging. These risks can be mitigated through the application of technology and proper policies and procedures.

The benefit of texting vs. traditional communication

For physicians, texting has a myriad of benefits over traditional paging and phone conversations. Between office visits, procedures, teaching, charting and other obligations, physicians are often overscheduled. Contributing to this burden is the difficult task of trying to find a time when several medical professionals are simultaneously available to consult about a patient’s care. When phone calls must be taken, it may be more intuitive that Protected Healthcare Information (PHI) cannot be overheard. As such, most medical professionals probably find a private place to speak or even carefully choose their words concerning the information they are communicating. This further complicates the time restraints that physicians are under. Texting is efficient. It allows for an exchange of information quickly and succinctly, with multiple parties, in what may seem a discreet and secure manner. In many ways, this mode of communication allows consultation and engagement in real-time and has the potential to increase the level of patient care.

The fact that a details around a diagnosis can be provided in a short succinct manner probably makes sharing data more efficient. However, when PHI is exchanged, which includes first or last name, birthdate, and a medical diagnosis, patient privacy is inadvertently sacrificed. Unfortunately, unbeknownst to most medical professionals, traditional text messaging has several drawbacks. Text messaging in the healthcare context not only raises privacy and security issues, but also raises additional concerns with respect to record keeping requirements of patient medical information and possible malpractice risks.

If the physician had been texting about hundreds of patients, then HIPAA's requirement to quickly notify the Office for Civil Rights may be triggered.

Legal and compliance-related risks

First, mobile phones, even when password protected, are inherently insecure devices. Passcodes are easily cracked, and once access is gained, all the information is readily available, including past text messages. If a device is lost, stolen, or recycled, patient information contained within the text messages is compromised. SMS text messages are often encrypted by the service provider, but this encryption used to protect text messages has weaknesses and can be broken and is not strong enough for the protection of sensitive health information.

As a result of the insecure nature of mobile phones, text messaging raises significant privacy and security concerns. Text messaging does not comply with the security regulations under the Health Information Portability and Accountability Act (HIPAA). The Joint Commission on Accreditation of Healthcare Organizations has found that the use of text messaging in the healthcare environment is unacceptable due to privacy related risks. If a physician is utilizing a text messaging service, the physician and healthcare facility may need to consider entering into a Business Associate Agreement with the entity providing the text messaging service. Once the phone is stolen or misplaced, HIPAA's breach notification requirements are triggered. A covered entity is required to notify the affected individual following the discovery of a breach of unsecured protected health information. Notification must be provided no later than 60 days from the discovery of the breach. If the physician had been texting about hundreds of patients, then HIPAA's requirement to quickly notify the Office for Civil Rights may be triggered. In addition, it may be necessary to provide notification to prominent media outlets to notify the affected individuals. Failure to properly comply with federal or state breach notification laws can lead to significant financial penalties on a covered entity. While texting is beneficial for ease of communication, texting may inadvertently create privacy and security related risks.

Second, text messaging raises records retention concerns. Text messages discussing patient medical information should be incorporated into a patient's medical record. Retention of protected health information is governed by a variety of state and federal laws. For example, state medical records laws and Medicare regulations address how long protected health information held by medical providers must be retained, and there are other laws regulating how long health plans must retain participant records. Text messages can be easily deleted. Failure to retain medical information could create records retention issues under state and laws.

Third, text messaging can create malpractice risks for a physician or burden of proof problems in a trial. A medical provider may provide incoherent text messaging concerning a patient's medical care to another provider. This could create problems if the patient does not receive the right treatment or if the text message is not interpreted correctly. If there is a malpractice case concerning the physician's care, it would be regrettable if the physician put herself in the position of needing text messages but copies of the text messages were not retained.

How can a physician use text messaging while still mitigating legal and compliance risks?

To protect patient privacy, recommendations for using texting with patient information have been developed. These recommendations include:

  • training and awareness of the risk associates with a breach of PHI;
  • documentation of policies and procedures on when and what type of patient information can be exchanged via text;
  • limiting the type and amount of PHI sent and received;
  • stringent password policies;
  • mandatory phone encryption;
  • proper disposable and recycling methods;
  • use of secure HIPAA-compliant text messaging and a clinical communications vendor, which has a SOC 2 report;
  • the creation of audit controls to record an audit trial of all activity concerning electronic PHI would also mitigate the risks associated with text messaging, and
  • archiving of text messages

Text messaging is unlikely to go away. Ultimately, it is just too convenient. However, the issues surrounding patient privacy need to be addressed by each physician practice and hospital, as well as HIPAA and regulatory bodies. Patient information must be kept secure and encrypted and should only be accessed by authorized personnel. SMS text messaging makes this challenging, though there are steps physicians can take to minimize the risk of a data breach.

Previous Article
Subservice Organization Will Not Provide Management Assertion Letter
Subservice Organization Will Not Provide Management Assertion Letter

What if my subservice organization will not provide me a management assertion letter for my SOC examination?

Next Article
Disaster Recovery Controls Within SOC 1 Test of Controls Matrix
Disaster Recovery Controls Within SOC 1 Test of Controls Matrix

Can I have disaster recovery controls within my SOC 1 test of controls matrix?