Text messaging has become popular in the health care field, permitting providers to multitask and to communicate more quickly than with phone calls or pages. Despite these benefits, health care providers should be aware of the potential consequences under HIPAA and the HITECH Act (collectively, “HIPAA”) of permitting staff to text patient information. “Text messaging” encompasses any communication service or application that enables transmission of electronic written messages between two or more mobile devices. This includes both traditional Short Message Service (“SMS”) text messaging and other messaging services such as WhatsApp and iMessage.
Many health care providers have not developed policies that recognize and address the risks posed by text messages. Notably, text messages create electronic records of the content of conversations while pages and phone calls do not. In fact, to the extent that text messages contain individually identifiable patient information, text messages create electronic protected health information (ePHI) that is stored as electronic media on the smartphone. This ePHI is subject to the same privacy and security standards as the full electronic health records (EHR) maintained on hospital and health care organizations’ servers.
I. Requirements of HIPAA and HITECH
HIPAA requires that health care providers maintain the confidentiality, integrity, and availability of all ePHI created, received, maintained, or transmitted by a covered entity. The HIPAA privacy rule limits provider disclosure of ePHI only to authorized individuals and entities, and enumerates the reasons for which providers may or must disclose PHI or ePHI. The HIPAA security rule requires providers to protect PHI or ePHI from any threats to access and potential disclosure to unauthorized persons, and requires providers to have a plan of action if such a disclosure occurs. For ePHI, these security standards typically require, among other steps, encrypting ePHI, storing ePHI on a secure network, authenticating receivers of information, and implementing protocols for destruction or permitted alteration of ePHI. In turn, if a breach of information occurs, HITECH requires that covered entities and business associates report any breach of ePHI to the Office of Civil Rights (OCR).
Unfortunately, it is difficult to see how SMS or text messaging of ePHI can meet the requirements of the HIPAA security rule for most health care providers and organizations. Traditional SMS messages are not encrypted, texts may stay on a telecommunication provider's server for indefinite periods of time, and there is no way to authenticate the recipient. Text messages do not provide the same opportunity for voice identification between health care providers, and it is possible for any person with access to a health care provider’s mobile device to view or reply to a message instead of the intended recipient. Text messaging services also offer little protection from the most significant danger to the privacy and security of texted ePHI: the unintended recipient. In the case of an unintended recipient, not only could the recipient view the information, but the receiver may also forward it to others.
Text messaging ePHI to unintended recipients likely constitutes a HIPAA breach. HITECH defines a breach as any access, use, or disclosure to an unauthorized individual except where it is clear the unauthorized individual would not have been able to access the information. Notably, the latest rules presume that any unauthorized disclosure is a breach and requires reporting to the HHS Office of Civil Rights (“OCR”) unless there is a documented low probability that the PHI was compromised. A provider must analyze a number of factors, listed in the OCR rules, based upon the facts surrounding the breach to determine whether there is a low probability the information was compromised. These include the type and amount of PHI involved, whether the PHI was actually viewed, the identity of the unintended recipient(s), whether the recipient(s) have provided assurances that the information has been destroyed, and whether the risk to the PHI has been mitigated.
Even if a health care provider conducts a risk analysis and determines that it can consistently implement and adequately supervise adequate security measures, it is doubtful that most popular text messaging services can make available the ePHI transmitted. For example, following a detailed message from a nurse about the condition of a patient, a doctor may issue an order via a reply message. In what may be a brief exchange, the nurse’s message and the doctor’s texted reply have become ePHI. Because the recorded conversation is now ePHI, it must be made available in the patient’s medical record. Unless the text messaging application integrates with an EMR system and associates the exchange with the correct patient record, preserving future access to the texting record seems next to impossible.
II. Other Considerations
Concern over text messaging within health care organizations has grown in areas outside HIPAA compliance. For example, the Joint Commission for Physician Accreditation has stated that it is not acceptable for physicians or other health professionals to text orders for patients to hospitals or other health care settings. The Commission highlighted authentication and hospital record recording as primary issues with this method of communication.
In addition, nursing facilities should be concerned with possible survey citations for privacy issues related to texting. For example, in the case of a North Carolina nursing facility, nurses texted patient information to physicians or physician assistants for several residents. The physician or physician assistants had allegedly requested to be texted the information and there were no allegations that the information went to the wrong person or that any unauthorized person saw the resident’s information. However, the texting violated a facility policy that prohibited transmitting confidential information via mobile devices. The facility received an “E” level deficiency (no actual harm but potential for more than minimal harm) under FTag 164. That tag does not mention HIPAA, but only recites the standard that facilities “keep each resident’s personal and medical records private and confidential.”
CMS imposed a 10-point directed plan of correction that required the facility to, among other actions, hire an outside independent contractor to train staff and management, revise HIPAA policies and procedures, designate a HIPAA compliance officer, and notify all residents and families of the alleged HIPAA violation and the steps taken to remedy it. Some of the actions required in the directed plan of correction extended beyond HIPAA’s requirements (such as the notification of all residents and families).
Health care organizations should first determine the extent to which text messaging may be in use among providers. Organizations should then develop appropriate policies, procedures, and training to prevent inappropriate uses of text messaging services. Although traditional SMS and popular text messaging services are unlikely to meet the privacy or security requirements as identified in a HIPAA risk analysis, there are other options available that may provide the benefits of text messaging in a HIPAA compliant manner.
Programs for HIPAA compliant emails of ePHI are already in use by providers. These programs use secure attachments and require the recipient to sign in with a password before viewing sensitive information. Similar to these email programs, third party texting services can help providers ensure compliance with the HIPAA security rule. While development of such applications is still relatively young, some secure messaging platforms address many HIPAA concerns, including recipient authentication, a limited address book, remote text deletion, notification when a text is delivered/read, encryption of texts, and secured attachments of pictures, charts, and even voice notes. Some platforms permit the user to control the lifespan of a message so that the message automatically deletes itself from a mobile device within a certain time period while messages are stored long term on a secure server.
Most importantly, a few secure texting apps allow health care organizations to integrate their EHRs with the secure texting program, permitting users both to attach information from the EHR to their messages and to add information to the EHR based on their text conversations. Health care organizations that choose to consider a secure texting platform should keep in mind the three requirements for securing PHI: confidentiality, integrity, and availability. Any platform chosen must satisfy all three elements.
For those health care organizations who do not wish to invest in a third party texting program, there are additional options that may be available without violating HIPAA’s rules. An alternative to third party text servers may be facility policies and staff training that permit limited uses of text messaging that do not include PHI or other confidential information (such as quality assurance and performance improvement communications). For example, an organization may develop a protocol that permits nurses to text requests for attending physicians to call them back within a specific timeframe, depending on the urgency of the matter.
Although texting has become an efficient method of clinical communication, now is the time to determine whether current practices comply with HIPAA requirements. Health care organizations should consider reviewing or drafting policies to prevent future privacy concerns and work closely with their network of health care providers to ensure that the entire health care team understands the expectations for appropriate text messaging.
Should you or your organization have any questions regarding the role of text messaging in patient care, please contact Peter Mellette (Peter@mellettepc.com), Harrison Gibbs (Harrison@mellettepc.com), Nathan Mortier (Nathan@mellettepc.com), or Elizabeth Dahl (Elizabeth@mellettepc.com) or call Mellette PC at (757) 259-9200.