I came across this very recent and intriguing investigation conducted by Sue Jones of the Cooperative of American Physicians (CAP). Per the article below, Sue visited physician offices where smartphones and texting has become routine, and asked whether staff was following the HIPAA safeguards for texting.
Will Texting Be Your Friend or Foe When It Comes to HIPAA?
by Sue Jones, BA, LVN, CPHRM
While recently visiting a few physician offices where texting is commonplace among physicians and staff, I asked staff whether they were following the HIPAA safeguards for texting. Most often, the answer was met with “Sure, we are HIPAA compliant. No worries here.”
Here are a few examples that were found of HIPAA violations while sending unencrypted text messages:
-
A Doctor texted an MA (on MA’s personal mobile phone) asking the MA to text him the lab results for a patient the physician was planning to see in the hospital that day. Unbeknownst to the physician, the MA was not scheduled to work that day. Fortunately, the MA had her phone with her and called the office to ask a co-worker to contact the physician with the lab results. Neither the physician nor the MA had text messaging encryption.
-
A Doctor asked a staff member to take a picture of the most recent progress note from a treating specialist and to send the picture of the specialist’s report to the doctor’s unencrypted phone.
-
An NP took a picture of a patient’s lesion with her personal mobile phone to send to her supervising physician She sent it unencrypted to the physician.
-
An office manager routinely scans patient EOBs and texts the scanned information unencrypted to the outside biller.
-
An office manager routinely scans patient EOBs and texts the scanned information unencrypted to the outside biller.
-
Doctors and staff frequently text with patients about appointments, medical conditions, and medication questions and also think they are HIPAA compliant as long as the patient chooses this mode of communication despite being unencrypted.
According to HIPAA, in order to protect patient health information (PHI) when using mobile devices for texting purposes, encryption should be used to protect the PHI from unauthorized user access.
HealthIT.gov offers the following guidance when setting up encryption on a mobile device:
How can you encrypt data that are stored on your mobile device?
Encryption methods vary with the device. You will need to research your mobile device’s encryption capability. If your mobile device does not come with built-in encryption, you will need to download an encryption application. Research mobile apps before downloading them to your mobile device to verify they are from a trusted source.
Why should you encrypt data sent by your mobile device?
When you encrypt data in motion, you prevent unauthorized virtual access to the data while it is in transit (e.g., accessing an EHR system or lab test results using your mobile device). Carefully consider the risks associated with sending text messages containing protected health information. To improve the protection of information being sent in a text message, consider using secure messaging that is encrypted instead of SMS (Short Message Service), which is not.
For additional security when texting, disable SMS preview on your device. If you do not have SMS preview disabled on your device, then others can view text messages on your device’s locked screen without authenticated or authorized access.
How can you encrypt data that are sent by your mobile device?
There are several different ways to encrypt data in motion, such as a virtual private network (VPN) or a secure browser connection. As we hear of HIPAA breaches continuing on a daily basis, it is extremely important that medical offices that use texting as a mode of communication within the healthcare organization and with their patients take the steps to ensure the text messages are secure and patient health information is protected.
Sue Jones is a Senior Risk Management and Patient Safety Specialist for CAP. Questions or comments related to this article should be directed to sjones@CAPphysicians.com. The information in this publication should not be considered legal or medical advice applicable to a specific situation. Legal guidance for individual matters should be obtained from a retained attorney.