HIPAA Regulatory Alert: Physician texting poses HITECH security challenges

Vague messages, secure network, and encryption add protection

With almost 80% of cell phone owners reporting they use text messaging,1 it is no surprise that physicians are doing the same. A survey of pediatric hospitalists found that 57% of clinicians send work-related messages, and 12% of the physicians reported texting 10 or more times per shift. Messages were received on personal phones by 41% of respondents and on hospital-owned phones by 18% of respondents.2

“The world is text messaging for all types of communications, so it is not surprising to find physicians taking advantage of a tool that is faster, more convenient, and more direct than other forms of communications,” says Jeffrey Evans, co-founder of Santa Monica, CA-based TigerText. “Email is cluttered and not fast enough for an immediate, open conversation, even when email can be accessed by a smartphone.”

Texting makes sense for physicians because a doctor’s job is inherently mobile, Evans points out. “A physician is rarely sitting in front of a computer,” he says. Making rounds, seeing patients in the office, or performing surgery means being away from a computer, he explains. “A doctor can be more efficient if he or she can check for lab results, confirm the time of surgery, or ask for a consultation while moving from place to place.”

Although texting might be more efficient for physicians and hospital employees, there are security issues a hospital must address, says Steve Hunt, CPP, CISSP, director of Neohapsis Labs, the research division of Chicago-based Neohapsis, a security risk consulting service. Although there are a several risks posed by texting protected health information (PHI), one of the more challenging risks is authentication of the sender or receiver’s identity. “Unlike a telephone conversation during which you hear a voice and can exchange information to verify identity, you don’t know who is holding the phone and responding to your text.” A misdialed phone number or a misplaced cell phone might result in information sent to the wrong person.

For this reason, Hunt suggests that physicians who text follow these suggestions to maintain compliance with Health Information Technology for Economic and Clinical Health Act (HITECH) privacy and security rules:

• When texting a patient with health information, keep it vague. Don’t say: “Your test is positive, give me a call.” Instead text: “Your test results are ready. Please call.”

• When texting physician to physician, separate data into several messages so a patient’s identification information is not in the same message as health information. For example, send one message with: “I’d like to inquire about Mrs. Smith.” Follow this message immediately with: “Was her test positive or negative?”

Both of these steps minimize risk but will not completely eliminate it, points out Hunt. “If a phone is lost, an unauthorized person can put together multiple messages to see PHI.”

Encryption is another way to minimize risk, but it is not foolproof. “Text message data is not encrypted when at rest or in transit,” explains Evans. Even if a phone is password-protected, the data is available to anyone who has the password, he points out.

Providers can improve security by sending messages on a secure network that receives messages, notifies the recipient that a message is waiting, and provides a link to the message, says Evans. Whatever system a provider implements must be able to authenticate senders and receivers as well as ensure information can’t be accessed by unauthorized persons, he suggests.

Personal phones used by physicians also can pose problems, points out Evans. A hospital-provided phone can be encrypted and contain protection such as passwords, but it is more difficult to get someone to allow a hospital to install software on a personal phone. “It is difficult to enforce encryption or other security measures when physicians or staff members are using personal phones,” he admits. “A hospital needs to develop good policies about the use of mobile devices and enforce them.”

The most important step to take is education, says Hunt. “Physicians and employees are so comfortable with text messaging, they don’t think about security risks,” he says. Explaining the risks of text messaging and encouraging vagueness in messaging are important now as communicating with text messages becomes more commonplace in the workplace.

“This is a good time to establish secure communication practices,” he adds.

References

1. Pew Internet and American Life Project. Mobile Health: 2012. Web: http://pewinternet.org/Commentary/2012/February/Pew-Internet-Mobile.aspx.

2. Kuhlmann S, Ahlers-Schmidt CR, Steinberger E. Text Messaging As a Means of Communication Among Pediatric Hospitalists. Presented at American Academy of Pediatrics National Conference, October 2012. New Orleans, LA.

Sources

For more information about physician texting, contact:

Jeffrey Evans, Co-Founder, TigerText, 1310 Montana Ave., Second Floor, Santa Monica, CA 90403. Telephone: (310) 401-1820, ext. 233. Email: jeffrey@tigertext.com.

Steve Hunt, CPP, CISSP, Director, Neohapsis Labs, 217 N. Jefferson St., Suite 200, Chicago, IL 60661. Telephone: (773) 269-6395. Fax: (773) 394-8314. Email: steve.hunt@neohapsis.com.