Doctors Who Text: Is This a HIPAA Violation?
In the 1980s a new phenomenon came on the scene known as short message service (SMS), more commonly referred to as text messaging. And the world has never been the same! It took approximately 20 years for the technology to evolve, but now trillions of text messages are sent every year. As with all technology, there are positive and negative uses, secure and nonsecure uses.
People tend to embrace innovations that make life simpler or quicker and hopefully solve a problem. Text messaging is one of those things – simple, quick, and it solves a problem. What’s not to like!? If you are a health care provider and subject to HIPAA regulations, texting anything that includes protected health information (PHI) is a security concern. These messages can go through unsecured channels and can be stored for an undetermined amount of time on the servers of your mobile device carrier. I would venture to guess that health care providers have not considered that these text messages could persist for a long time and eventually come back to haunt them.
In the midst of a family medical problem, I discovered the troubling practice of doctors transmitting private health care information regarding their patients via text messaging. The more I saw this, the more my mind turned over all the negative possibilities these actions present. Don’t get me wrong, I can definitely see the advantages as far as improving responsiveness to patient needs, but as a computer forensics examiner, I am still weighing the pros and cons for the doctors themselves.
On the pro side:
On the con side:
So Why Is This a Big Deal?
Text messages (or SMS messages) are inherently not secure nor HIPAA compliant. Texting PHI can expose a practice to security violations that could result in breaches, litigation or financial issues just to name a few negative impacts. It is unlikely anyone will go to jail because of this, but there is a possibility of hefty fines being levied against health care providers involved in texting.
As a certified computer forensics examiner, I am able to locate deleted text messages, emails, pictures and the like in the event of a lawsuit resulting from any action taken by a patient. We are being asked more often these days to collect phones and tablets when litigation is anticipated. A “snapshot in time” is taken of these devices the same as for computers and laptops. The data is processed and reviewed during the course of a lawsuit.
Proactively working to manage risks now can mitigate future problems. A physician works long and hard to build a practice and reputation which could be lost if any violations occur.
Every organization, both large and small, should perform a risk analysis to best decide how to proceed with texting or messaging in a secure manner. The risk analysis should identify any threats and vulnerabilities to patients’ PHI. In some instances, best practices may dictate that texting be prohibited until threats and vulnerabilities can be effectively managed.
Technology will undoubtedly continue to drive our world to become more efficient. The medical community has a lot to gain from this efficiency; it works to the advantage of both the physician and the patient. As long as risk is mitigated at the outset, the chances of security breaches and litigation can be taken out of the equation.