Healthcare providers and their business associates are fast getting hip to the reality that it’s not OK to text protected health information (PHI).
Not only does unsecure texting of PHI run afoul of HIPAA privacy rules, but it’s also just too easy for texted PHI to be stolen, hacked, leaked or lost unless it is not safeguarded.
Lawyer Lisa Thompson of the LeClairRyan law firm amply underscores that message in a recent post on the Richmond, Va.-based firm’s blog.
Thompson notes that texting is popular for many reasons. It’s “easy, fast and efficient,” she points out. It’s also considerably less cumbersome than email, and you don’t need a computer to do it.
But for healthcare providers, all this convenience can be dangerous and can lead to unauthorized access to PHI, Thompson emphasizes.
Among the dangers:
- Anyone with physical access to the mobile device can view text messages on it
- Texts can be read when the device is lost, stolen or even returned or recycled
- Traditional security protections used by IT departments of HIPAA-covered entities, such as firewalls, may not cover texts, and so texts can be intercepted and decrypted
Another problem is that HIPAA also mandates that patients and their representatives, such as lawyers and families, have timely access to their health records. Thompson astutely notes that when texts are used in healthcare decision making, providers could be out of compliance with HIPAA if patients ask for the texts in question and providers can’t turn them over.
Thompson acknowledges that there is no easy response to these risks.
However, at the least, providers and business associates should include mobile phones and other devices on which PHI is created, transmitted, received and maintained in text form in any risk analysis, a step that HIPAA requires.
The clearest path to protecting texts in healthcare settings is by using secure texting technology, many in health IT say.
Indeed, secure messaging is one of the strategies Thompson lists for combatting the potential scourge of unprotected texts that contain PHI.
Others steps include:
- Establishing policies that require all texts to be deleted with a specified time period
- Using technology that can wipe information from devices or remotely disable mobile phones if they are lost or stolen
- Providing encryption and password protection
- Setting policies and guidelines that limit information contained in texts, such as not using patient names or other identifiers
- Requiring texted PHI to be added to formal health records and providing a technological mechanism for doing so
- Training employees on texting policies and procedures
- Handing down disciplinary measures for employees who violate texting policies
Healthcare providers would do well to heed Thompson’s advice.