Start Your FREE Membership NOW
 Discover Proven Ways to Be a Better Medical Office Manager
 Get Our Daily eNewsletter, MOMAlert, and MUCH MORE
 Absolutely NO Risk or Obligation on Your Part -- It's FREE!

Upgrade to Premium Membership NOW for Just $90!
Get 3 Months of Full Premium Membership Access
Includes Our Monthly Newsletter, Office Toolbox, Policy Center, and Archives
Plus, You Get FREE Webinars, and MUCH MORE!

Beware of HIPAA-related text messaging risks

The ease, speed, and efficiency of mobile device-based text messaging has made it a primary communications tool among doctors and other health care providers, covered entities, and business associates. But this convenience can also lead to security risks, cautions Melissa (Lisa) Thompson, a shareholder in national law firm LeClairRyan’s Boston office.

“Unless preventive measures are employed, anyone with access to the mobile device will have access to the text message,” writes Thompson in a recent blog post at Information Counts, which focuses on the legal issues that arise from considerations of privacy, data security, information technology, outsourcing, e-commerce, the Internet and social media, cloud computing, big data, and information management.

“The text can be accessed when the device is lost, stolen, or even when it is returned or recycled,” she explains. “Additionally, the protections implemented by information technology and other departments of covered entities and business associates, such as firewalls, may not cover texts, which can be intercepted and decrypted.”

Issues like these fall squarely under federal HIPAA (Health Insurance Portability and Accountability Act of 1996), which not only protects patient information from being accessed, but requires certain patient health information (PHI) to be accessible to patients and their authorized representatives.

“When text messages are used in patient care decision-making, there is a potential risk of noncompliance if the provider is not able to accommodate the individual who requests access to their record,” adds Thompson. “There is no single, easy answer when it comes to addressing texting concerns, but at a minimum, to satisfy the HIPAA-required risk analysis and management, a covered entity or business associate should include an analysis of mobile phones and other devices on which PHI and texts are created, received, maintained or transmitted.”

Health care entities can consider, among other options, adopting policies that require the deletion of all texts within a period of time, and using technology that can wipe information or remotely disable mobile phones if they’re lost or stolen, she advises. Other approaches include encryption and password protection, and implementing policies or guidelines limiting the type of information that texts contain: for example, not using patient names or other identifiers.

Thompson notes that organizations can also consider switching to secure messaging applications; requiring that texted PHI be added to the medical record, while providing a mechanism for doing so; and training workforce members about required texting policies and procedures. They should also impose sanctions for workforce members that violate the policies.

“Organizations may identify different levels of risk and institute different types and levels of controls,” writes Thompson. “Implementing controls related to texting can be difficult for an organization. The important thing is to take affirmative steps right now to analyze the risk and manage texting, rather than considering the risks and implementing appropriate controls only after a problem develops.”

She points out that the U.S. Department of Health and Human Services offers suggestions regarding mobile devices on its website.

Editor’s picks:

HIPAA is now striking small offices; the first hit is on mobile devices

HIPAA compliance audits: is your practice prepared?

Six HIPAA violations you may be missing









Try Premium Membership