Law Mind: Use Smartphones Smartly — What HIPAA Allows
You to Text about Patients Part II
By Ann M. Bittinger, JD
Bittinger Law Firm
There’s an App for That
The safest way to communicate Protected Health Information (PHI) via smartphones with partners and colleagues is for the practice to buy a text messaging service that encrypts data both in transit and at rest, to implement the app on the phones of all providers and others that need it, and to implement a policy and procedure on:
- tracking the phone numbers of the devices that use the app, including a “find phone” feature so that the group’s information technology (IT) department can track a lost phone and swipe the information on it if necessary;
- storing texts on your own server (or the app provider’s server – be sure to get a business associate agreement signed – rather than on your mobile carrier’s servers);
- preventing physicians from being able to disable the app’s password; and
- locking the device after a short period of inactivity – some say five minutes; I suggest 30 seconds.
Another good thing about most apps that encrypt data is that they close their doors to individuals outside of your group. The Health Insurance Portability and Accountability Act (HIPAA) requires that organizations “implement technical policies and procedures that allow only authorized persons to access” PHI. Communicating to colleagues via a proprietary app makes it less likely to send a text to the wrong person, such as to someone outside your physician practice or hospital, if you mistyped a phone number or confused recipients’ names. The app is set up so that only your group can text on it.
Social Security Numbers
I suggest that, even within an encrypted-text app, providers should never text Social Security Numbers (SSNs). Additional state and federal laws beyond HIPAA come into play when SSNs are involved. Plus SSNs are the prime targets of cyber thieves. Do not text SSNs. Make it a violation of a written mobile device policy to text a SSN.
Room for Error
Similarly, be wary of texting patient orders. Be mindful of errors that can be communicated due to auto-correct, typing incorrect numbers, or abbreviating words – common in texting – that could be misunderstood. The misunderstandings can be even more damaging if they directly impact patient care negatively, and that is likely to happen if you text orders. They do not necessarily violate HIPAA, but a wrong number in a text, or thinking you hit the period but did not, such that what you intended as “.5” was communicated as “5,” could be malpractice if the number impacts the patient’s care.
Make sure your HIPAA mobile device policy addresses deletion and storage of texts. I am often asked if texts are part of the medical record and, as such, whether they should be saved. Guidance is developing, but it seems that the answer is: it depends what you are texting. Although in most circumstances I think texting is more like a phone call (sharing information that you would normally have done over the phone), arguments can be made that you are documenting information in a type of record. If it is a medical record, then it is subject not only to state and federal medical records laws – there are also issues of turning over the records in the event of a professional liability or other lawsuit. To defend an argument that the texts are more like phone calls than medical records, consider including in your mobile device policy that all texts containing PHI be deleted soon (within 48 hours, perhaps) after they are sent. Phones used only for work can be remotely swiped, meaning the data on them is remotely cleared via an employee in the IT Department). This helps defend an allegation that you deleted your texts to avoid them being used against you in a lawsuit. It also makes the livelihood of availability of data to cyber thieves less alluring. If the IT Department cannot remotely delete the texts, implement and enforce a policy that the physicians delete all texts every few days.
As mobile devices become inseparable from our daily and professional lives, practices should expect pushback when these types of protocols are implemented. Weigh the costs of buying all of your physicians and key providers smartphones and paying for their data plans – so you can give them phones to be used only for work and thus have full control over the phones – versus the cost of subscribing to a proprietary app, utilized only by your group, that can be installed on their personal phones. After all, party lines went the way of the dinosaur; perhaps Short Message Service texting of PHI will too.
Ann M. Bittinger, JD, represents physicians and physician groups in transactions with other entities and with compliance with federal health care laws and in structuring their independent practices. Questions? Email firstname.lastname@example.org.