HIPAA, HITECH, and Confidentiality Risks When Texting in Healthcare

Written by ProAssurance Risk Management | May 2023

Texting protected health information (PHI) without proper safety and encryption processes in place could result in HIPAA/HITECH violations, and noncompliance with CMS and accreditation requirements for secure text messaging, and violation of state medical information confidentiality laws. Because PHI goes where the phone goes, ensuring the privacy and security of PHI sent by text messaging can be challenging.

Cellphones are easy to lose, are frequently stolen, and because they are often a personal device, users may not think of wiping stored text messages containing PHI when disposing of their phone. Messages on phones are also at risk for unauthorized access through eavesdropping and interception, and a sender can never be certain that a message sent in compliance with privacy and security practices will be viewed by the intended recipient.

Text messaging should be included in a covered entity’s risk analysis and security measures implementation required under HIPAA.¹ The analysis can provide the foundations for administrative, physical, and technical controls that neutralize the risks of text messaging to a degree that they become reasonable and appropriate.¹ Although there are HIPAA-compliant text messaging apps, individuals continue to send text messages containing PHI using their device’s pre-installed messaging app on their unsecured devices.² The success of a text messaging privacy and security plan, therefore, depends in significant part on individual compliance.

Risk Reduction Strategies

Clinicians and Staff

Limit text message content to the minimum information necessary for the permitted purpose; however, refrain from using shorthand.
Double check the recipient of all text messages containing PHI to ensure accuracy.
Do not text highly sensitive PHI (e.g., mental health, HIV, substance abuse, minor).
Only use smartphones or applications that are set up or provided by the facility. If using a personal smartphone, ensure that the facility’s information technology (IT) department has approved it and that it meets all the privacy standards.
Notify the privacy officer if a device is lost, stolen, or replaced.
Ensure that misdirected text messages are documented in the HIPAA disclosure log.
Ensure that phones used for texting PHI automatically lock when not used for a designated time (usually one to three minutes) and require password access.

Operations

Develop a policy and procedure that either prohibits the texting of PHI or limits what information can be texted and implements precautions to ensure appropriate HIPAA, HITECH, and documentation compliance.
Ensure appropriate HIPAA, HITECH, and documentation compliance protocols are understood and followed.
Educate healthcare staff on risks (including the potential for monetary fines) associated with HIPAA and HITECH violations.
Develop a comprehensive risk analysis and management strategy that identifies areas of vulnerability, implementation of “reasonable and appropriate” security measures, and monitoring systems in place to mitigate risk.
Use HIPAA-compliant messaging technologies. According to The Joint Commission, “key features” of secure text messaging platforms include:
- Secure sign-on process
- Encrypted messaging
- Delivery and read receipts
- Date and time stamp
- Customized message retention time frames”³
Prohibit text messaging PHI using devices and applications that are not compliant with HIPAA and HITECH standards.
Address electronic messaging in medical staff by-laws.
Require password protection and encryption for all devices that create, receive, or store text messages containing PHI.
Implement audit controls and reporting processes to review and document any text messages containing PHI.
Use a system that can authenticate the identity of the text recipient and the sender.
Require remote erasing of all PHI data from devices that are stolen, lost, or being retired.

This content originally appeared in Claims Rx, our claims-based learning publication available in the searchable Claims Rx Directory. For select releases, eligible insureds will also find instructions for obtaining CME credit.

Additional Resource

HIPAA Exams. “Texting Violation of HIPAA.” July 2020. — Strategies for setting up a text messaging system that promotes HIPAA compliance

More Information About Texting in Healthcare

Patient Safety and Liability Risks Associated with Texting in Healthcare: Case Studies and Best Practices
Case Study: Unprofessional Text Messages Complicated Defensibility of a Malpractice Claim
Case Study: Deleted and Forgotten Text Messages Used to Impeach Testimony
Case Study: Contradictory Text Messages Contributed to Patient Misinterpretation of Care Instructions
Case Study: Poor Documentation of Text Messages Complicated Defense of a Malpractice Claim
Case Study: Compromising Statements in Text Messages Complicated Defense of a Malpractice Claim
Best Practices: HIPAA, HITECH, and Confidentiality Risks When Texting in Healthcare
Best Practices: Strategies for Reducing Distracted Practice Risks of Texting in Healthcare

References

1. Adam H. Greene. “HIPAA Compliance for Clinician Texting.” Journal of AHIMA. 83, no.4 (April 2012): 34-36.

2. Xinran Liu, et al. “Evaluation of Secure Messaging Applications for a Health Care System: A Case Study.” Applied Clinical Informatics. 2019;10(1):140-150. DOI: 10.1055/s-0039-1678607

3. “Can Secure Text Messaging be Used to Communicate Patient Care Orders?” The Joint Commission. 12/28/2017. Last reviewed: 4/27/2022

View full post