HIPAA Blog

[ Tuesday, July 29, 2014 ]

 

Don't Text and Heal:  Texting and HIPAA don't go well together; as I've said many times, texting is insecure, impermanent, and ill-suited for record-keeping purposes.  Texting PHI by providers could result in improper medical record-keeping, because information that would be recorded in the medical record if it were emailed or telephoned does not get charted, and many texting platforms do not retain information for indefinite periods of time.  Texting also may turn the provider's communication into "telemedicine" under state law.  Texts are much less secure because they rarely are encrypted (like emails often are), and even if not encrypted (which isn't an actual requirement), they are much more easily accessible: anyone picking up your password-locked iPhone can see the first few words of recent texts without even unlocking the phone.  Unless you've carefully chosen a secure texting service, the risks are definitely not worth the convenience.

So far, there have been no HIPAA enforcement actions by OCR based on texting, but that's probably only because OCR has enough complaint-originated work to keep itself busy.  But other areas of HHS are closely looking at texting, and trying hard to get the industry to shape up.  In fact, CMS recently assigned an "e-level deficiency" to a nursing home that was texting lab results between doctors and nurses.  Both sender and recipient were authorized to receive the PHI, but the method of sending it, via unsecure texts, was sufficient to cause the deficiency.  The net result was a 10-part "Directed Plan of Correction" which included hiring an outside expert to train staff, revising policies and procedures, and notifying all residents of the issue.

This should be fair warning.  It is only a matter of time before OCR lays someone low for bad texting activities.  This nursing home had to incur some substantial costs (both financial and reputational) to fix this problem, but it's nothing to the 6- or 7-figure hammer OCR will likely lay down. 

Don't text.  Unless you've thoroughly analyzed the options and are prepared to defend yourself in case of a texting-related breach, it's hard to see how the benefits of convenience outweigh the risks.

Jeff [11:03 AM]

Comments: Post a Comment
http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template