The ease, efficiency, and utility of text messaging isn’t lost on healthcare professionals, 90 percent of whom use it as a method for sharing information with colleagues, patients, and staff. Although text messaging may be our new preferred mode of communication, enthusiasts are well advised to momentarily put down their mobile devices and educate themselves on the existing legal restrictions, the emerging best practice recommendations, and the unique rules that currently govern provider-provider and provider-patient text messaging.
Rules and Recommendations for Provider-Provider Text Messaging
In December 2016, The Joint Commission issued a clarification statement establishing the following limitations on text messaging between providers:
► Unencrypted text messaging of communications that include PHI is prohibited.
The standard short message service (SMS) that conveniently exists on your mobile device is considered a prohibited, unsecure texting platform—making all communications transmitted via this medium vulnerable to hacking, unauthorized access, and a HIPAA violation. The Office of Civil Rights regards the use of an unencrypted text messaging service for the communication of PHI as a HIPAA breach. The fines for a breach of HIPAA can be quite high. The fine for a single breach of HIPAA can be anything up to $50K per day if the vulnerability responsible for the breach is not attended to.
► Here are a few examples that were found to be HIPAA violations while sending unencrypted text messages:
- A doctor texted an MA (on MA’s personal mobile phone) asking the MA to text him the lab results for a patient the physician was planning to see in the hospital that day. Unbeknownst to the physician, the MA was not scheduled to work that day. Fortunately, the MA had her phone with her and called the office to ask a coworker to contact the physician with the lab results. Neither the doctor nor the MA had text messaging encryption.
- A doctor asked a staff member to take a picture of the most recent progress note from a treating specialist and to send the picture of the specialist’s report to the doctor’s unencrypted phone.
- An office manager routinely scans patient EOBs and then texts the scanned information, unencrypted, to the outside biller.
- Doctors and staff frequently text with patients about appointments, medical conditions, and medication questions and think they are HIPAA compliant as long as the patient chooses this mode of communication despite being unencrypted.
Over the last few years, more medical professionals have come to rely on their personal mobile devices to support their workflows. However, because so many healthcare professionals are using mobile devices, there is a considerable risk that PHI may be accessed by unauthorized people. This occurs because most apps and mobile devices do not require a log-in or log-out and, therefore, if the device is lost or stolen, the PHI stored in the device would be easily accessed and released to unauthorized individuals.
So, while it’s perfectly acceptable for staff to use an unencrypted texting service for messages such as, “Doctor, you have patients waiting,” a text that includes a patient’s protected health information, “Mary Smith’s INR is 7,” would be considered a HIPAA violation.
The bottom line? If you’re texting your office staff, your colleague, the hospital nurses, sending photos, films, videos, reports, or communicating any PHI relating to a specific patient’s care – encrypt! Understand that attempts to circumvent encryption by masking the identity of a patient (using abbreviations or referring to a patient by location) can easily backfire and result in adverse events caused by patient misidentification. Also, physicians in private practice should understand that if their policy is to utilize unencrypted text messaging for practice management purposes only, there must be adequate education and training of staff to reinforce permissible versus impermissible texting content.
The Joint Commission has made several attempts to adopt a policy that will ensure a safe implementation of text messaging in healthcare. The Joint Commission is encouraging healthcare providers to develop policies and educate staff on the limitations of unsecure texting in the workplace. These might include:
- An inventory of all mobile devices used for texting ePHI (whether provider-owned or personal);
- Proper sanitization of mobile devices that text ePHI upon retirement of the device;
- Policies that prohibit or limit the type of information that can be shared via text;
- Training on the appropriate use of work-related texting; and
- Password protection and encryption for mobile devices that create, receive, or maintain text messages with ePHI.
Texting orders is prohibited, even if secure.
Years ago, The Joint Commission established standards limiting the use of verbal orders to situations where a written order was either impossible or impractical. The Joint Commission recognized that verbal orders imposed a substantial clerical burden on nursing staff and also increased the potential for error by inserting yet another fallible human in the order entry process.
The Joint Commission likens text orders to verbal orders, with a few additional risks. Like verbal orders, text orders require nurses to transcribe orders into the EHR, adding to their clerical burden and increasing the likelihood for error. Additionally, as text messaging is an asynchronous interaction, it prevents nurses from being able to obtain immediate clarification on a text order or to respond instantly to Clinical Decision Support (CDS) alerts and recommendations — leading to further delays in care. Finally, there is no way to preserve original text documentation as validation of what was ordered.
CAP Risk Management and Patient Safety department recommends that members incorporate provider-provider and provider-patient text messages with clinical information into the medical record. From a defense standpoint, CAP data support the following defense challenge – but for the missing documentation of a telephone call or the text message, the case would have been dismissed or easier to defend.
Barry B. Cepelewicz, MD, JD, a contributing writer to Medical Economics, stated “Any text message that involves the transmission of information that would be considered PHI, including information relating to the treatment of your patients, should be considered part of, and therefore incorporated into, your medical record. Most physicians would readily agree that a letter from a patient describing a medical condition or correspondence from another treating physician offering treatment recommendations should be included in the medical record, and that a conversation relating to a patient’s care should be memorialized in the record.”
From a professional liability perspective, you would not want to put yourself in a position where a patient suing you for malpractice can make claims that hinge on various text messages between you and the patient, and you did not retain copies of those messages.
Authored by members of the CAP Education Committee – Hospital Education Subcommittee. A special thank you to Catherine Miller, JD, RN and to Jeffrey Shapiro, MD for their contribution to this article. The information in this publication should not be considered legal or medical advice applicable to a specific situation. Legal guidance for individual matters should be obtained from a retained attorney.
Additional Resource