Doctors Who Text: Is This a HIPAA Violation?

Doctors Who Text: Is This a HIPAA Violation?

In the 1980s a new phenomenon came on the scene known as short message service (SMS), more commonly referred to as text messaging. And the world has never been the same! It took approximately 20 years for the technology to evolve, but now trillions of text messages are sent every year. As with all technology, there are positive and negative uses, secure and nonsecure uses.

People tend to embrace innovations that make life simpler or quicker and hopefully solve a problem. Text messaging is one of those things – simple, quick, and it solves a problem. What’s not to like!? If you are a health care provider and subject to HIPAA regulations, texting anything that includes protected health information (PHI) is a security concern. These messages can go through unsecured channels and can be stored for an undetermined amount of time on the servers of your mobile device carrier. I would venture to guess that health care providers have not considered that these text messages could persist for a long time and eventually come back to haunt them.

In the midst of a family medical problem, I discovered the troubling practice of doctors transmitting private health care information regarding their patients via text messaging. The more I saw this, the more my mind turned over all the negative possibilities these actions present. Don’t get me wrong, I can definitely see the advantages as far as improving responsiveness to patient needs, but as a computer forensics examiner, I am still weighing the pros and cons for the doctors themselves.

On the pro side:

• Texting is efficient.
• Response time is much shorter than with previous laborious communication workflows.
• Information does not pass through several intermediaries before reaching the decision maker – it is direct.
• Groups of doctors can be included on a single text so better decision making is possible.
• More information can be readily available to doctors – i.e., medical histories, lab results, pictures.
• On-call notifications can be handled more expeditiously.

On the con side:

• Text messages are not encrypted.
• Text messages are often stored on the service providers’ servers, which are not secure.
• The sender of the text message cannot verify that the message is actually going to the intended recipient.
• Individual phones are not always pass code protected.
• Phones may be left unattended, lost or stolen, which may compromise patient data.
• Disposal of the phone at the appropriate time may not be handled in a compliant manner.

So Why Is This a Big Deal?

Text messages (or SMS messages) are inherently not secure nor HIPAA compliant. Texting PHI can expose a practice to security violations that could result in breaches, litigation or financial issues just to name a few negative impacts. It is unlikely anyone will go to jail because of this, but there is a possibility of hefty fines being levied against health care providers involved in texting.

As a certified computer forensics examiner, I am able to locate deleted text messages, emails, pictures and the like in the event of a lawsuit resulting from any action taken by a patient. We are being asked more often these days to collect phones and tablets when litigation is anticipated. A “snapshot in time” is taken of these devices the same as for computers and laptops. The data is processed and reviewed during the course of a lawsuit.

Proactively working to manage risks now can mitigate future problems. A physician works long and hard to build a practice and reputation which could be lost if any violations occur.

Possible Solutions

Every organization, both large and small, should perform a risk analysis to best decide how to proceed with texting or messaging in a secure manner. The risk analysis should identify any threats and vulnerabilities to patients’ PHI. In some instances, best practices may dictate that texting be prohibited until threats and vulnerabilities can be effectively managed.

Technology will undoubtedly continue to drive our world to become more efficient. The medical community has a lot to gain from this efficiency; it works to the advantage of both the physician and the patient. As long as risk is mitigated at the outset, the chances of security breaches and litigation can be taken out of the equation.