Text messaging is often the preferred method of communication for many people today. It does have great advantages with its simplicity, instant delivery, and convenience. However, I did not mention security on that list. Text messaging is not secure by default. Yes, you can secure it but that requires apps, platforms, and planning. The bottom line is the communication method most people call text messaging is not secured enough to send and receive PHI without patient authorization to use it.
Before we get started with today’s topic let’s touch on some OCR guidance that came out recently. We have talked about this topic before after the Pulse Nightclub tragedy. HIPAA is not a barrier to patient care but it often gets accused of being one. It is important to educate clinical staff on what really applies. The OCR guidance made it very clear what is acceptable.
Informing persons in a position to prevent or lessen a serious and imminent threat to a patient’s health or safety.
For example, a doctor whose patient has overdosed on opioids is presumed to have complied with HIPAA if the doctor informs family, friends, or caregivers of the opioid abuse after determining, based on the facts and circumstances, that the patient poses a serious and imminent threat to his or her health through continued opioid abuse upon discharge.
It also makes another point very clear:
HIPAA respects individual autonomy by placing certain limitations on sharing health information with family members, friends, and others without the patient’s agreement.
For patients with decision-making capacity: A health care provider must give a patient the
opportunity to agree or object to sharing health information with family, friends, and others
involved in the individual’s care or payment for care.
The provider is not permitted to share health information about patients who currently have the capacity to make their own health care decisions and object to sharing the information (generally or with respect to specific people) unless there is a serious and imminent threat of harm to health as described above.
All of this doesn’t mean you can run amok with patient information if you deem something a crisis. For example, I know of a case where a nurse overstepped in a situation. In that case, there was a child that came in with a problem that turned out to be a contagious, intensely itchy skin condition caused by a tiny, burrowing mite. Yes, this is a problem. Is it a crisis, not really. However, the nurse knew a good friend of the family. When they had not been able to reach the child’s mother the nurse sent a text message to the friend of the family. She disclosed the diagnosis. Then, called in a cream for the friend since she had been exposed. The friend also disclosed to her boyfriend who had been exposed and the nurse called in a cream for him too.
There are several problems here. There was clearly no imminent danger of anything but itching like crazy. A disclosure was not necessary. Secondly, though, it was definitely not something that should be done via text messaging. A perfect segway to the topic for the day.
Text messaging is not secure
In almost every training session, meeting, or group talk that I do someone will ask me about using text messaging for communicating with doctors, clinical staff, and patients. It is done on a daily basis all over the place no matter what anyone says.
First, let’s be clear about what kind of messaging falls into this category. There is text messaging, SMS messages, and instant messages.
Why is text messaging not secure enough for HIPAA?
- Text messages are stored on your carrier’s server and they are not obligated to protect them there.
- There is no Business Associate Agreement in place with your phone carrier
- Other people may get access to your messages which results in improper disclosures.
What are the alternatives?
You can’t solve the text message security problem with just using WhatsApp or Signal or whatever your kids use to keep you from reading their messages. There are countless applications available out there for securing messages properly and meeting HIPAA requirements. Some of those texting applications are pricey but others are reasonable. No matter what you get they must address all the issues above.
How do most of this alternatives work?
What should you look for when selecting a messaging app?
What about patient communications via text messaging?
It is certainly clear that people will use some sort of instant messaging application. You can not just assume you can tell people not to do it and they won’t do it. It must be addressed and your staff must be trained on properly securing all messages that contain PHI.