Explore
May 21, 2014

Doctors Who Text: Is This a HIPAA Violation?

, SHARE:

 

Doctors Who Text: Is This a HIPAA Violation?

In the 1980s a new phenomenon came on the scene known as short message service (SMS), more commonly referred to as text messaging. And the world has never been the same! It took approximately 20 years for the technology to evolve, but now trillions of text messages are sent every year. As with all technology, there are positive and negative uses, secure and nonsecure uses.

People tend to embrace innovations that make life simpler or quicker and hopefully solve a problem. Text messaging is one of those things – simple, quick, and it solves a problem. What’s not to like!? If you are a health care provider and subject to HIPAA regulations, texting anything that includes protected health information (PHI) is a security concern. These messages can go through unsecured channels and can be stored for an undetermined amount of time on the servers of your mobile device carrier. I would venture to guess that health care providers have not considered that these text messages could persist for a long time and eventually come back to haunt them.

In the midst of a family medical problem, I discovered the troubling practice of doctors transmitting private health care information regarding their patients via text messaging. The more I saw this, the more my mind turned over all the negative possibilities these actions present. Don’t get me wrong, I can definitely see the advantages as far as improving responsiveness to patient needs, but as a computer forensics examiner, I am still weighing the pros and cons for the doctors themselves.

On the pro side:

  • Texting is efficient.
  • Response time is much shorter than with previous laborious communication workflows.
  • Information does not pass through several intermediaries before reaching the decision maker – it is direct.
  • Groups of doctors can be included on a single text so better decision making is possible.
  • More information can be readily available to doctors – i.e., medical histories, lab results, pictures.
  • On-call notifications can be handled more expeditiously.

On the con side:

  • Text messages are not encrypted.
  • Text messages are often stored on the service providers’ servers, which are not secure.
  • The sender of the text message cannot verify that the message is actually going to the intended recipient.
  • Individual phones are not always pass code protected.
  • Phones may be left unattended, lost or stolen, which may compromise patient data.
  • Disposal of the phone at the appropriate time may not be handled in a compliant manner.

 

So Why Is This a Big Deal?

Text messages (or SMS messages) are inherently not secure nor HIPAA compliant. Texting PHI can expose a practice to security violations that could result in breaches, litigation or financial issues just to name a few negative impacts. It is unlikely anyone will go to jail because of this, but there is a possibility of hefty fines being levied against health care providers involved in texting.

As a certified computer forensics examiner, I am able to locate deleted text messages, emails, pictures and the like in the event of a lawsuit resulting from any action taken by a patient. We are being asked more often these days to collect phones and tablets when litigation is anticipated. A “snapshot in time” is taken of these devices the same as for computers and laptops. The data is processed and reviewed during the course of a lawsuit.

Proactively working to manage risks now can mitigate future problems. A physician works long and hard to build a practice and reputation which could be lost if any violations occur.

Possible Solutions

Every organization, both large and small, should perform a risk analysis to best decide how to proceed with texting or messaging in a secure manner. The risk analysis should identify any threats and vulnerabilities to patients’ PHI. In some instances, best practices may dictate that texting be prohibited until threats and vulnerabilities can be effectively managed.

Technology will undoubtedly continue to drive our world to become more efficient. The medical community has a lot to gain from this efficiency; it works to the advantage of both the physician and the patient. As long as risk is mitigated at the outset, the chances of security breaches and litigation can be taken out of the equation.

 

Related Articles

Posted May 23, 2011
Xact Data Discovery HIPAA Administrator Achieves HIPAA Privacy and Security Expert Certification
May 23, 2011 - Xact Data Discovery has held HIPPA Certified Business Associate status and maintained a Certified HIPAA Professional (CHP) on staff since 2010...
Doctors Who Text: Is This a HIPAA Violation?
Article 6 / 6
Posted October 17, 2017
Mobile Devices Wrap-Up – Mobile Device Discovery Series, Part 6
When considered together, the twelve cases we reviewed suggest a few key points to remember regarding mobile devices in eDiscovery: the fact that mobile devices are a novel or challenging source is no excuse to skip them; there will be potentially serious consequences for inadvertent losses from mobile devices, and there will be very serious consequences for intentional spoliation of mobile device data; and, it may be possible to establish the prior existence of lost text messages using phone records from the relevant wireless carrier. Read on to review the three other main key points from the case law as well as the key takeaways from our review of mobile devices in eDiscovery.
Doctors Who Text: Is This a HIPAA Violation?
Article 4 / 6
Posted October 6, 2017
A New Mobile Devices Case Every Few Months – Mobile Device Discovery Series, Part 4
In this case law survey, we will briefly review a dozen cases from across the past five years that have touched on mobile device discovery issues.  We will review them in chronological order: E.E.O.C. v. Original Honeybaked Ham Co. of Georgia, Inc., Garcia v. City of Laredo, Pradaxa Products Liability Litigation, Hosch v. BAE Systems Information Solutions, Inc., Small v. Univ. Med. Center of S. Nevada, and Rajaee v. Design Tech Homes.

Because you need to know

Contact Us