Do you exchange text messages with patients?
Drolet BC et al: Electronic Communication of Protected Health Information: Privacy, Security, and HIPAA Compliance. J Hand Surg Am. 2017 Jun;42(6):411-416
The Ethics and Professionalism Committee of the American Society for Surgery of the Hand recently published the results of a survey that they had sent to Hand Society members. The survey regarded members’ knowledge of and compliance with security and privacy standards for transmission of health information by text messaging.
The survey was first piloted to hand surgeons at the authors’ institutions and was then revised for content and clarity. Thereafter it was sent to the membership of the Hand Society. Four hundred nine (11%) surgeons responded. Ninety percent were actively practicing, 5% were retired, and 5% were in training. The average age was 52 years, and 85% were men. They were evenly distributed across the United States.
RESULTS: Sixty-three percent of respondents indicated that they used text messaging to communicate protected health information (PHI). When this incidence was analyzed by respondent age, 77% of surgeons under 45 years old transmitted PHI by text, while 48% of those over 60 years old texted PHI. For all ages combined, 83% of respondents used text to transmit images. Nearly two-thirds of respondents believed that texting from their personal electronic devices was not HIPAA compliant.
DISCUSSION: Although the majority of hand surgeons transmit PHI by text messaging at least occasionally, they do so in apparent willful neglect of the HIPAA Security Rule, where the fines for noncompliance can range up to $50,000.
The risks identified with use of personal mobile devices for transmission of PHI include the fact that the devices may be lost or stolen, that PHI may be unintentionally disclosed to nearby onlookers, messages remain in the mobile devices indefinitely, institutions cannot monitor or provide oversight of personal devices, and electronic PHI may be accidentally misdirected.
The Department of Health and Human Services suggests but does not require the following safeguards to prevent accidental disclosure of PHI: using strong password protection, encrypting the device and the messages it contains, securing the device from theft, and not sharing the device.
An alternative approach would be to de-identify patients who are described in text messages. This measure, however, requires diligence to remove, among other things, patient name and initials; any geographic locations smaller than a state; no dates more specific than years; phone and fax numbers; email addresses; Social Security, medical records and health insurance numbers; and full-face photographs.
COMMENT: I suspect that the results of a similar poll of hand therapists regarding use and understanding of texting PHI would parallel the results this study determined for hand surgeons. So be careful what you text and to whom. Phone calls are secure. Faxing, providing you are sure the number is correct, seems to be ok. Email is notoriously unsecure, although some institutions now have encrypted systems in place that make provider-patient and provider-provider emails secure. Electronic transmission and storage of information is a boon to modern health care delivery. It, however, comes with costs and precautions.