Secure Texting In HealthcareWays to Keep Patient Information Private
Text-messaging by physicians and other clinicians poses serious potential patient privacy risks. But with security controls in place, some healthcare organizations are giving a green light to texting in certain circumstances.
"I expect that the use of texting between clinicians - without management approval - is pretty widespread, with many covered entities either unaware or having adopted an ineffective policy prohibiting the practice," says Adam Greene, a partner at the law firm Davis, Wright, Tremaine.
To address privacy issues, some healthcare organizations, including Beaufort Memorial Hospital in Beaufort, S.C., are encrypting, text messages shared among clinicians. Others, including Partners Healthcare in Boston, are enforcing policies that limit the information that's contained in text messages to patients.
Healthcare organizations must ensure they comply with the HIPAA privacy and security rules when accommodating texting of patient information, Greene stresses. "The issues differ depending on whether you are talking about texting with patients or texting [among] physicians," he says. "Risk will vary based on the types of messages."
For example, after considering risks such as interception or misdirection, a physician practice may conclude that sending appointment reminders via text message is acceptable with appropriate safeguards, while sending treatment-specific texts to patients is not, he says.
But Greene notes that if a provider chooses to communicate with patients via text, under the HIPAA Privacy Rule, the provider also must accommodate patient requests for alternative methods of communications.
If texting is an efficient way for clinicians in an organization to communicate with each other, organizations should apply encryption, Greene urges.
Tom Walsh, principal at Tom Walsh Consulting, says healthcare organizations should consider policies for texting as a vital component of their overall mobile device management strategy.
"Text messaging is something that [healthcare providers] have to deal with," he says. "We've got physicians who tell nurses, 'send me a text.' How do we trust the person who sends the message is truly the owner of the phone?" Enforcing security controls through the use of a mobile device management system is an important step, he adds.
Popularity of Texting
With the explosion in the use of smart phones among physicians, interest in texting is high.
More than half of pediatricians recently surveyed by the University of Kansas School of Medicine say they either send or receive work-related text messages. Nearly half also report receiving work-related text messages when not scheduled to be on call.
In addition, 41 percent of respondents say they worry that HIPAA rules can be violated by sending/receiving text messages concerning patient information, and 27 percent report having received protected health information through text messages. However, only 10 percent report their institution offers encryption software for text messaging.
Beaufort Memorial Hospital is one of the trailblazers in encrypting text messages The 197-bed hospital is winding up a four-month pilot in which 64 physicians, nurses and others are using secure texting on their smart phones to communicate with each other, but not with patients.
The hospital launched the project because texting is a popular and easy way to communicate, says Ed Ricks, CIO at Beaufort Memorial. The hospital is using a secure texting service from Imprivata. The service automatically encrypts texts to protect patient information.
Users download an app onto their mobile device, and then the hospital lists the authorized user in Microsoft Active Directory. Authenticated users are instructed to only exchange encrypted texts with each other.
Following the pilot, secure texting will expand to 100 users. But the hospital has no plans to use the technology for communication with patients. That's mainly because Beaufort can't justify paying a monthly fee to maintain services for patients who most likely would rarely use texting, Ricks says. Instead, the hospital will offer secure e-mail via a patient portal.
Sending Text Messages to Patients
In contrast to Beaufort Memorial's approach to texting, Partners Healthcare in Boston is initially focusing on educational texts to patients. And instead of using encryption, it's banning personal health information from the texts, says Joseph Kvedar, M.D. founder and director of the Center for Connected Health. The center operates Partners' telehealth and mobile healthcare programs.
"People want to use text to connect with providers, but there is a lot of anxiety that we will reveal protected health information," Kvedar says. And many patients are unwilling to download onto their mobile devices software that allows texts to be encrypted, he says.
Partners has designed a number of text campaigns, such as exercise reminders or smoking cessation tips. For about a year, Partners also has been piloting a campaign of text reminders to expectant mothers about prenatal care and appointments.
"If you design text campaigns in certain ways, you can have effective communications that don't involve PHI [protected health information]," Kvedar says. "Everything that goes into our texting is designed to get to the right patient at the right time to change behavior."
Partners is using technology from the vendor Rip Road to create customized messages in any language to be sent at appropriate times to selected patients.
No specific combination of identifiable personal information, such as the patient and doctor's names, or description of a health issue is included in the text, Kvedar stresses. So if the mobile device is lost or stolen, no health information is at risk.