What Does HIPAA Think About You Texting Patients?

For most physicians, the nights of 2:00 a.m. “911” beeper alerts are long gone, hastily replaced by smartphone text messages, e-mails and Facebook chats.

But with new technology comes new privacy issues, and in certain cases has led to some practices suffering hefty HIPAA penalties for not adequately protecting personal health information (PHI).

Because the HIPAA privacy and security regulations were drafted during the Clinton administration and finalized during the George W. Bush presidency, they do not clearly address new alternative forms of doctor-patient communication. If you recall, SMS texting was not widely used back then and Facebook was nonexistent.

So we thought it would be a good idea to speak to HIPAA’s response to modern day doctor-patient communications.

Texting
CTIA, the nonprofit association that represents wireless carriers, reports that Americans sent 258.2 million texts a month in 2001, 18.7 billion in 2006 and a booming 193.1 billion by the end of 2011.

As a practicing physician, these numbers should not be ignored. Texting is a major source of communication for a lot of your patients, particularly if you treat teenagers.

Texting has obvious social advantages, but it also has a clear use in healthcare delivery. Texting is fast, direct and simplifies the traditional pager and callback workflow that hospitals and other organizations have used for decades.

The problem is that traditional SMS messaging is fundamentally flawed in terms of security and HIPAA compliance.

“Messages containing electronic PHI can be read by anyone, forwarded to anyone, remain unencrypted on telecommunication providers’ servers, and stay forever on sender’s and receiver’s phones,” said Andrew A. Brooks, MD, an orthopedic surgeon and cofounder and chief medical officer of Tigertext, a secure mobile messaging platform designed to help hospitals and businesses improve workflow and reduce risk.

It boils down to the fact that senders cannot authenticate the recipient of SMS messages. Studies have shown that 38 percent of people who text have sent a text message to the wrong person.

As a result, The Joint Commission has banned physicians from using traditional SMS for any communication that contains ePHI data or includes an order for a patient to a hospital or other healthcare provider. A single violation for an unsecured communication can result in a fine of $50,000; repeated violations can lead to $1.5 million in fines in a single year, not to mention the reputational damage done to an organization and its ability to attract patients.

Healthcare vendors have begun releasing paid apps that promise secure texting that allows physicians and medical professionals to communicate within a HIPAA-compliant platform. However, many of these apps have yet to be vetted by a government agency.

Emails
While the HIPAA privacy rule allows providers to communicate with their patients electronically, it mandates that certain safeguards be implemented when doing so.

For example, certain precautions may need to be taken when using e-mail to avoid unintentional disclosures, such as checking e-mail addresses for accuracy before sending, or sending an email alert to the patient for address confirmation prior to sending the message.

In addition, while the Privacy Rule does not prohibit the use of unencrypted e-mail for treatment-related communications between health care providers and patients, other safeguards should be applied to reasonably protect privacy, such as limiting the amount or type of information disclosed through the unencrypted e-mail.

Want to learn more? Well, we published an article on doctor-patient e-mail best practices if you’re interested.

Social Media
You may have encountered patients that prefer to communicate with you through social media sites like Facebook or Twitter, but always keep in mind that anything posted on these websites is public domain.

If a patient asks you a treatment related question through Facebook, it’s probably best if you call them directly with a response. You wouldn’t want the wrong person reading the message and causing you to violate the HIPAA privacy rule.

Now that we’re on the subject, it’s also a good idea to monitor your employee’s social networking use during work hours because there are many ways in which misuse could result in employer fault under HIPAA.

This includes employees simply discussing their work frustrations or unusual health care cases they’ve encountered. For example, in one case, a group of nurses began using Facebook to provide shift change updates to their coworkers. They did not use patient names, but they did post enough specifics about patients so that incoming nurses could prepare for their shift.

These disclosures were made with the best of intentions, but obviously violated HIPAA constraints. Omitting a patient’s name does not guarantee that the person cannot be identified. The uniqueness of a medical condition combined with the time and date of a visit could be enough for people to identify a patient.

Always remember to never transfer PHI through non-secure methods of communication. While we applaud your progression into the next epoch of doctor-patient communication, we’re also watching your back and don’t want to see you penalized.

It’s only a matter of time before the Department of Health and Human Services releases specific guidelines for the aforementioned mediums. As always, we’ll stay on top of it and bring you any breaking HIPAA updates as they happen.

What problems have you encountered when communicating with patients outside of the practice? Let us know in the comments section below.