Text Messaging and Protected Health Information

(HealthNewsDigest.com) – The first short message service (SMS) “text message” was sent in 1992 from a computer to a mobile phone. It read: “Merry Christmas.” Since then, mobile-to-mobile SMS has become one of the most popular means of electronic communication worldwide, with more than 20 billion messages transmitted daily. In a 2013 survey of 2076 US adults, 91% reported owning a cellular phone, and 81% reported using their device for texting—making SMS the most commonly used mobile application.¹

Not surprisingly, several small studies including 45 resident and 28 faculty general surgeons and 97 pediatrics hospitalists found that more than half (60%-80%) of physicians use text messaging for clinical communications.^2,3 However, there is little guidance regarding appropriate use of this technology in the health care setting. In addition, some physicians may have the misconception that text messaging of protected health information is prohibited by law.

In the United States, health information is protected by the Health Insurance Portability and Accountability Act (HIPAA) of 1996. This legislation defines regulatory standards for both security and privacy of protected health information, that is defined as any information related to an individual’s past, present, or future physical or mental health. The HIPAA Privacy Rule distinguishes who is allowed access to protected health information and for what purposes. The Security Rule requires that clinicians, staff, and organizations (called “covered entities”) implement “appropriate administrative, physical and technical safeguards” to prevent inappropriate disclosure of protected health information (ie, breach).⁴Breach is further defined by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 as “the acquisition, access, use, or disclosure of unsecured PHI [protected health information], in a manner not permitted by HIPAA, that poses a significant risk of financial, reputational, or other harm to the affected individual.” HITECH also levies significant fines—up to $50 000 per occurrence or $1.5 million per year—for a breach.⁵

Despite the prominent legislation and substantial fines for breach, guidelines for text messaging remain unclear. The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR), which enforces HIPAA compliance, maintains technological neutrality for electronic communication. This means that HHS has no specific technological requirements for SMS security, including text messaging (eg, minimum encryption standards). In 2016, the Joint Commission proposed a preliminary set of advanced security standards for text messaging of physician orders, which include secure sign-on processes, encrypted messaging, delivery and read receipts, date and time stamps, and customized message retention time frames.⁶However, these were not adopted and currently text messaging of physician orders is explicitly prohibited at Joint Commission–accredited hospitals.⁷

Although commercially available “secure-messaging” applications have security features similar to those proposed by the Joint Commission, consumers should be wary of claims for “HIPAA-compliant messaging.” Because HIPAA is technology neutral, there are no meaningful compliance standards. Therefore, even though application features may enhance messaging security, there is no such thing as HIPAA-compliant messaging applications.

Even with advanced security features, all systems remain vulnerable to breach. However, HIPAA merely requires that covered entities address security by identifying “reasonably-anticipated risks” of breach and creating mitigation strategies. For messaging on a personal mobile device, security rules can include strong passwords, remote deactivation capability for lost or stolen devices, message and operating system encryption (eg, Apple iMessage and iOS systems use AES 128-bit encryption), and disabling message preview to avoid unintentional disclosures. Given the broad scope of the Security Rule, compliance can be maintained with such strategies.

HIPAA compliance can also be maintained by deidentifying information before it is transmitted. Under the Safe Harbor Method, health information is no longer linked to an individual when 18 types of patient identifiers have been removed (Box).⁸ This deidentified health information is no longer “protected,” and the Privacy and Security Rules do not apply. However, there are some limitations to deidentification. The Safe Harbor Method requires vigilance in removing all identifiers. Moreover, physicians may not know that common derivatives of patient identifiers (eg, initials, room number) are not acceptable deidentifiers according to HIPAA. In addition, deidentification can make it difficult to recognize which patient is being discussed and miscommunication could result.

Despite these issues, the efficiency and convenience of SMS is undeniable, and it is easy to understand the popularity of texting (consider that approximately 2 million messages were transmitted in the time it took to read this sentence). Text messaging has essentially replaced telephone calls for many people; and messaging and other forms of asynchronous, electronic communication will only become more prevalent as the tech-savvy millennial generation enters the health care workforce. Why should a clinician leave a meeting to take a phone call or ask a patient to come to clinic, when nonurgent questions can be answered electronically, in messages that can even include photographs and dialogue? Although text messaging does not work in every situation or for every practice, text messaging provides unprecedented convenience and accessibility for both patients and clinicians who agree to use this form of communication.

As clinicians learn to better integrate mobile device messaging with health care delivery, it is important to acknowledge that rules for this technology may be intentionally vague and even best left that way. Currently, the onus is on covered entities to maintain a reasonable standard of privacy and security. This means clinicians should remove, or at least limit, protected health information in electronic communication. Whenever protected health information must be transmitted, clinicians should utilize available features, such as message encryption and strong passwords, to maintain security.

Although the risk of breach with electronic communication exists, the benefits of SMS for physician, staff, and patient communication are substantial. Although some statutory elements may be interpreted to prohibit text messaging on personal mobile devices, texting to communicate health information is neither explicitly prohibited by HHS nor illegal in the United States.⁹ Therefore, if the unwritten intention of federal regulations is to limit electronic communication of protected health information, this should be clarified. In the meantime, a combination of vigilant deidentification and maximizing available security features should maintain HIPAA compliance for text messaging. If clinicians do not respect the privacy of health information, they betray the trust of patients, and this could lead to regulatory changes to the detriment of a common and effective means of communication.

###