With all the advances in technology and the seemingly daily addition of dozens of apps, it can be hard to find someone who doesn’t communicate by texting. The medical profession is quickly adopting texting as a way to communicate with patients, but not without serious compliance questions under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Here’s how to walk that fine line.
The Text Revolution
Patients enjoy texting because it’s a fast, easy way to contact their physician from any location. Texting also can create a more collaborative relationship between patient and doctor, and with text reminders patients miss fewer appointments (meaning also lowered costs for providers).
Last year, The Joint Commission released guidance under which practices can text orders as long as they use a secure messaging system that meets certain specific requirements. However, sometimes patients just don’t want another app on their phone, or the headache of having to log on and off each time they communicate with their doctor. That leaves practices with the responsibility of having to meet their patients’ needs without violating HIPAA, a process that can be tricky but is possible through the implementation of thorough policies and the responsible use of texting.
Policies to Protect Your Practice
The U.S. Department of Health and Human Services (HHS) also issued guidelines on patients’ access to their health records. In implementing these guidelines, each practice still has some leeway in the exact policies they enact in order to remain compliant with HIPAA. Training your staff on these guidelines will help protect your practice from costly HIPAA violations. Such policies should target where your practice may be most vulnerable and should include (at a minimum):
- Who has access to protected health information (PHI)
- What actions the practice will take if PHI is compromised
- Steps to take if a patient’s phone is stolen, lost or sold
- What information can and can’t be shared via texts with patients
In addition to thorough policies and training for staff, periodically conducting risk assessments will help your practice identify any threats to patient information and ensure you are prepared for a HIPAA audit.
What Is Considered PHI?
The key is to understand what is and is not PHI. According to HHS: “Protected health information is information, including demographic information, which relates to:
- The individual’s past, present, or future physical or mental health or condition,
- The provision of health care to the individual, or
- The past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual. Protected health information includes many common identifiers (e.g., name, address, birth date, Social Security Number) when they can be associated with the health information listed above.
For example, a medical record, laboratory report, or hospital bill would be PHI because each document would contain a patient’s name and/or other identifying information associated with the health data content.”
What does not count as PHI? “Identifying information alone, such as personal names, residential addresses, or phone numbers, would not necessarily be designated as PHI. For instance, if such information was reported as part of a publicly accessible data source, such as a phone book, then this information would not be PHI because it is not related to heath data,” says HHS. However: “If such information was listed with health condition, health care provision or payment data, such as an indication that the individual was treated at a certain clinic, then this information would be PHI.”
Ensuring Patients Understand the Risks
Texting can be HIPAA compliant as long as it does not include PHI. Patients need to understand that PHI cannot be included in texts, and they need to be aware of the practice’s policies regarding texting and other forms of electronic communications. They need to understand the risks of unsecure messaging (e.g., identity theft if their phone is stolen), and the importance of letting their physician know immediately if their cell number changes. In addition to ensuring the patient is aware of such risks, practices can ensure HIPAA compliance by taking the following steps:
- Obtain written consent from the patient before texting, and clarify who will have access to the patient’s phone
- Never store a patient’s first and last name together in devices owned by the practice—use only first name and last initial
- If a patient sends the practice a text with PHI, do not respond—instead, call the patient; handling such texts from patients is a key issue that your practice’s policies should address
- Retain texts for the legally required amount of time outlined in policies so they are available for audits
In developing policies around how to handle unsecure texting situations with patients, it is crucial that practices work with legal and compliance experts to ensure the practice is completely covered.
Taking the Right Steps to Avoid Liability
For practices, the most salient challenge in this new form of communication is compromised patient PHI and possible identity theft. With thorough policies in place and the use of secure platforms, practices can remain HIPAA-compliant when texting with patients. On the other side, patients have the right to communicate with their doctors how they wish, and should be allowed to do so through unsecure messaging. And they can, provided they understand the risks, give consent, and PHI is not shared in texts.
