Practice Management Alert

What Would You Do?:

Check HIPAA Pitfalls Before Texting

Question: Some of our providers are interested in the cutting edge use of technology in patient care. For example, the physicians would like to be able to text with patients who have questions. Don’t we risk HIPAA violations if they communicate via text messages with patients though?

New York Subscriber

Answer:  The biggest, overall HIPAA-related issues with text messaging are privacy and documentation. Consider these issues carefully before deciding to use texting in your patient communications.
 
Privacy: Patients may not appreciate the risk of privacy loss through texting, warns Jim Sheldon-Dean, founder and director of compliance services for Lewis Creek Systems LLC in Charlotte, Vt. Also, texting is a new technology and people will not understand it fully for quite some time.
 
“HIPAA does require you to do your best to meet patient preferences for communication methods,” Sheldon-Dean reminds. You must use a Risk Analysis to evaluate and explain the risks to patients, he adds.
 
Documentation: “Regular texting doesn’t provide a paper trail of conversations and contacts,” Sheldon-Dean says. If a communication is part of patient care, you must document it properly, and that requires more than regular texting. A secure, traceable texting technology is important when you’re texting medical record information.
 
If personal health information (PHI) is included in texts between you and your patient, “the messages may be subject to HIPAA in more ways than just security,” Caswell agreed. You may need to save texts for a legally required time period, allowing the patient to access and amend the text messages. And if you choose to delete the texts for security purposes, you may be violating HIPAA’s retention requirements.
 
Many things can go wrong when it comes to text messaging with patients or other providers. For example, you might end up providing information to the wrong person due to poor authentication and access controls, Sheldon-Dean warns. This situation would lead to a “small” breach and a healthcare threat.
 
Or you could accidentally provide incorrect information about a patient, “perhaps by faulty authentication or a poorly performing app, causing a healthcare threat,” Sheldon-Dean cautions. And if you use an unsecured text messaging app, data may remain and be accessible on systems.
 
Plan ahead: If after weighing the pros and cons your practice decides to communicate with patients via text, you should implement policies and procedures that establish safeguards and reduce liability exposure, says attorney Michelle Caswell, JD in a recent blog posting for Clearwater Compliance LLC. Caswell offers the following tips for creating solid policies and procedures:
 
1. Include only non-urgent information. If you’re texting with a patient, include only non-urgent information like appointment reminders or prescription refills. If you have a secure patient portal, you could use text messaging simply to alert the patient to a message in the portal.
 
2. Don’t communicate identifiable information. Avoid texting any information that is specific and identifiable to the patient, such as patient ID numbers, treatment details or names of conditions.
 
3. Double-check the number. Always ensure that the number you’re using to contact the patient is the appropriate number to send texts.
 
4. Include treatment texts in the medical record. If texts are related to patient treatment, you must include the contents of the texts in the patient’s medical record.
 
5. Put a mobile device management plan in place. Your mobile device management plan should include:
 
  • Encryption of mobile devices;
  • Password protection;
  • Guidelines on whether employees can use their own devices or if they must use only company-owned devices;
  • Monitoring/audit of all text messages; and
Use of applications that will allow the phone to verify a device prior to sending (similar to credit card companies that allow you to verify your phone prior to sending data).