A ton of patient information exchanges hands daily: patient to doctor, doctor to patient, doctor to doctor, doctor to hospital, and so on. Much of this exchange is now by text messaging, as many doctors find it faster and more efficient than emails and phone calls. Unfortunately, doctors are often completely unaware of the legal pitfalls involved in text messaging and how to avoid them.
Deleting a text message that includes protected health information (PHI) can be a HIPAA violation. Just like any other patient interaction, PHI text messages must be retained for a designated period of time, and patients must be given access to these messages for review and revision. To assure safe-keeping, any text message involving a patient's history, diagnosis, or treatment should be documented in the patient's record.
Then there are the privacy and security risks of text messaging. How do you know your text message is being read by the intended recipient? What if the device you're using is lost or stolen? Although not referring specifically to text messages, HIPAA security rules require patient health information be protected from potential access by unauthorized persons, and that there be in place an action plan should a breach occur.
Texting from doctor to hospital is also a liability risk. Since 2011, the Joint Commission has warned that "it is not acceptable for physicians or licensed independent practitioners to text orders for patients to the hospital or other health care settings. This method provides no ability to verify the identity of the person sending the text and there is no way to keep the original message as validation of what is entered into the medical record.
Weighing the risks involved, some medical practices may simply choose to prohibit the texting of patient information to anyone. The other option is to find ways to reduce liability exposure by creating a well-designed text messaging policy, as recommended in Medical Economics (May 23, 2014):
- Inform patients about the practice's text messaging policy. Their consent, or lack of consent, should be included in each patient's record.
- Set in place a process for verifying who receives a message.
- Text messages must be easily accessed, monitored, and audited.
- Text messages with patients must become part of the medical record before being deleted from the device.
- Text messaging should not be used in case of an emergency (patients must be made aware of this policy).
- Devices used for text messaging must be password protected and encrypted.
A frequently asked question is "Which encryption solution is best?" It depends, according to LuxSci, a company that offers SecureChat and SecureText, two HIPAA-compliant solutions. SecureChat is more suited for practices with frequent "back-and-forth" discussions with patients. The app-free SecureText is more appropriate for practices that send more general information, such as "You have an appointment."
A comprehensive review of several other companies that provide HIPAA-compliant encrypted solutions can be found at totalhipaa.com (blog for August 16, 2016). Detailed information is provided for TigerText, Zinc, Qliqsoft, and Spok Mobile. According to the article, each of these applications has a free version to try before deciding which program is best-suited to an individual practice.