Text Messaging Protected Health Information

text messaging protected health information

The Robert Wood Johnson Foundation, conducted a study finding that nurses spend as much as 60 minutes of each work day tracking down physicians for a response to their patient care questions. Many healthcare providers believe it would be more efficient to send text messages in order to streamline the workflow, as well as, increase dialogue between physicians and patients. An issue arises though, if the message contains Protected Health Information. This is a result of the fact that text messages are electronic communications and therefore the message would be considered Electronic Protected Health Information (ePHI), which must comply with the Health Insurance Portability and Accountability Act (HIPAA).

It is challenging to send a HIPAA compliant text message as they carry a great deal of risk. The risk stems from the fact that they are typically not encrypted, senders cannot authenticate the recipients, recipients cannot authenticate the senders and ePHI can remain stored on wireless carrier servers. The Joint Commission has completely restricted physicians or licensed independent practitioners from texting orders for patients to the hospital or other healthcare setting, stating that “this method provides no ability to verify the identity of the person sending the text and there is no way to keep the original message as validation of what is entered into the medical record.” However, texting ePHI is not explicitly prohibited by the HIPAA Security Rule.

The Security Rule requires that those providers who want to send ePHI via text must conduct a risk analysis. A risk analysis consists of “an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.” The Security Rule further requires that Covered Entities and Business Associates acting on their behalf implement administrative, physical and technical safeguards. The Security Rule does not propose specific safeguards, but provides a framework to assess and mitigate risks associated with such transmissions. The American Health Lawyers Association have given examples of technical safeguards, such as, unique user identification, automatic logoff, encryption/decryption, auditing and authentication.

Text messaging remains an attractive and cost effective way to communicate ePHI. Ultimately though, it is a policy decision where the decision-makers must weigh the risks and benefits of sending PHI through text messages.