Text Messaging Among Providers Prevalent Despite HIPAA Compliance, Security Concerns

Bloomberg BNA's Health IT Law & Industry Report brings you concise, comprehensive, and timely news and analysis of the regulatory, legal, and compliance issues surrounding our nation’s...

By Kendra Casey Plank

A majority of physicians use the text messaging capabilities on their so-called smart phones to exchange information about patients with other health care providers, but doing so could be a violation of federal privacy and security rules, a health information technology firm executive said Oct. 17.

More than 70 percent of physicians use text messaging to communicate with other doctors about patients because the technology provides the ability to send and receive real-time information without actually calling other providers or relying on e-mail, said Brad Brooks, president and cofounder of TigerText, a company that provides secure text messaging capabilities to health care organizations and other industries.

However, he cautioned, while text messaging among health care providers presents a “huge opportunity” to improve communication among physicians and potentially improve the cost and quality of care, there are big compliance risks under the Health Insurance Portability and Accountability Act Privacy and Security Rules if messages contain protected health information and are not properly safeguarded.

Speaking during a webinar hosted by his company, Brooks said that text message conversations often start out as casual, non-work related messages, but eventually evolve into work-related messaging about patient care. While text messaging among physicians and other providers is efficient and convenient—more so than some traditional communication methods among provider—it is not always HIPAA-compliant.

Brooks said that as text messaging increasingly becomes a priority channel for communicating among health care providers, the challenge will be to “wrap” the technology in a secure, encrypted, HIPAA-compliant layer—a service his company provides to health care organizations.

HIPAA Concerns

Adam Greene, an attorney with Davis Wright Tremaine LLP, explained to the webinar audience that the HIPAA Security Rule applies to all electronic protected health information and that the broad definition of PHI could apply to data contained in text messages.

For example, a text message between two treating physicians could be considered containing PHI if it includes admission or discharge date information that could lead to the identification of an individual patient. Similarly, a message between a doctor and patient could be considered PHI, and thus covered by HIPAA, if it indicated a treatment relationship, Green said.

Prior to joining Davis Wright Tremaine, Greene was with the Department of Health and Human Services Office for Civil Rights, which is responsible for HIPAA rules.

Greene recommended that health care organizations include providers' text messaging capabilities and text message content in their HIPAA risk analysis activities to determine where vulnerabilities exist. Such risk analysis should consider the security of mobile devices used for text messaging and how those devices are disposed of when they are no longer used by physicians.

Case Study

James French, executive director of the Cone Health Hospitalist Program in Greensboro, N.C., said that text messaging among physicians in his multi-hospital organization has provided a better platform for communication than traditional methods that largely relied on paging systems and answering services.

He said that HIPAA concerns typically are not foremost on the minds of doctors and other providers, and that providers instead are concerned with improving workflow.

However, French said that when Cone Health sought to replace its cumbersome communication network among providers with a text messaging solution, it chose one provided by TigerText that was HIPAA-compliant and allowed physicians, nurses, and other providers within the health care network to share patient information in a safe and secure manner.

French said that text messaging among providers at Cone Health is contained in a closed, secure network and that messages are funneled through providers' smart phones.

In addition, he said the text message solution was cost-effective compared to other options, including the legacy pager system that had been in place previously.

TigerText's Brooks said the network provides end-to-end encrypted messaging, ensures messages have a limited lifespan, and allows the health care organization to audit messaging.