Will Texting Be Your Friend or Foe When It Comes to HIPAA?

  • February 23, 2017
  • Sue Jones, BA, LVN, CPHRM

While recently visiting a few physician offices where texting is commonplace among physicians and staff, I asked staff whether they were following the HIPAA safeguards for texting.  Most often, the answer was met with “Sure, we are HIPAA compliant. No worries here.”
A little more digging and a few more questions proved otherwise. In just a small sample of physician offices, the physicians and staff were violating HIPAA privacy and security rules while texting on a daily basis. These were not intentional violations, they occurred simply because staff weren’t aware of the requirement for encryption of text messages.

Here are a few examples that were found of HIPAA violations while sending unencrypted text messages:

On-Demand Webinar: Key Strategies for Ensuring a Profitable Independent Practice
During this one-hour program, practice management expert Debra Phairas discusses how various business models and operational enhancements can increase revenue to help your practice remain successful in today’s competitive marketplace.
Watch Now
  1. A Doctor texted an MA (on MA’s personal mobile phone) asking the MA to text him the lab results for a patient the physician was  planning to see in the hospital that day. Unbeknownst to the physician, the MA was not scheduled to work that day. Fortunately, the MA had her phone with her and called the office to ask a co-worker to contact the physician with the lab results. Neither the physician nor the MA had text messaging encryption.
  2. A Doctor asked a staff member to take a picture of the most recent progress note from a treating specialist and to send the picture of the specialist's report to the doctor’s unencrypted phone.
  3. An NP took a picture of a patient’s lesion with her personal mobile phone to send to her supervising physician She sent it unencrypted to the physician.
  4. An office manager routinely scans patient EOBs and texts the scanned information unencrypted to the outside biller.
  5. Many Doctors think that unencrypted texting with their staff about patients is HIPAA compliant since the messages are being sent between office personnel.
  6. Doctors and staff frequently text with patients about appointments, medical conditions, and medication questions and also think they are HIPAA compliant as long as the patient chooses this mode of communication despite being unencrypted.

According to HIPAA, in order to protect patient health information (PHI) when using mobile devices for texting purposes, encryption should be used to protect the PHI from unauthorized user access.

HealthIT.gov offers the following guidance when setting up encryption on a mobile device:

How can you encrypt data that are stored on your mobile device?

Encryption methods vary with the device. You will need to research your mobile device’s encryption capability. If your mobile device does not come with built-in encryption, you will need to download an encryption application. Research mobile apps before downloading them to your mobile device to verify they are from a trusted source.

Why should you encrypt data sent by your mobile device?

When you encrypt data in motion, you prevent unauthorized virtual access to the data while it is in transit (e.g., accessing an EHR system or lab test results using your mobile device). Carefully consider the risks associated with sending text messages containing protected health information. To improve the protection of information being sent in a text message, consider using secure messaging that is encrypted instead of SMS (Short Message Service), which is not.

For additional security when texting, disable SMS preview on your device. If you do not have SMS preview disabled on your device, then others can view text messages on your device’s locked screen without authenticated or authorized access.

How can you encrypt data that are sent by your mobile device?

There are several different ways to encrypt data in motion, such as a virtual private network (VPN) or a secure browser connection. As we hear of HIPAA breaches continuing on a daily basis, it is extremely important that medical offices that use texting as a mode of communication within the healthcare organization and with their patients take the steps to ensure the text messages are secure and patient health information is protected.

 

Sue Jones is a Senior Risk Management and Patient Safety Specialist for CAP. Questions or comments related to this article should be directed to sjones@CAPphysicians.com. The information in this publication should not be considered legal or medical advice applicable to a specific situation. Legal guidance for individual matters should be obtained from a retained attorney.