Publications & Articles

HIPAA and Physician Texting of PHI

An Inherent Threat

Technology can be a wonderful thing. Think of the advent of smart phones and the communications wonderland they offer. The texting ability is a significant part of this innovative new world. Texting is common in virtually all life activities, from the over-stimulated teenager who is sometimes glued to the keyboard, to the player in the world of commerce and industry.

Approximately 73 % of physicians text other physicians about work issues. Agreed, this can be a useful tool in medicine and patient care, but it can also open the door to a very draconian sign of the times, the HIPAA law and possible violations of that law.

We need to keep in mind that text messages may stay in a mobile device indefinitely; there is the potential possibility that the information on that mobile device could be exposed /available to an unauthorized third party. Consider theft, loss, or recycling of the mobile device. In many cases, anyone who has access to a mobile phone may have access to all the messages on that device.

Let´s consider several ways that a mobile device´s privacy can be breached:

Improper disposal of the device
...to name a few.

Concern in this area can be limited by giving thought and action to these remedies:

Create an administrative policy that limits the type of information that is shared using text messaging.
Train all users on the appropriate use of patient-related texting.
Take advantage of password protection for all mobile devices used by your group.
Take advantage of encryption for all mobile devices used by your group.
Sanitize the mobile device upon disposal.
Be sure to annotate the medical record with any documentation that concerns a patient.

In view of the potential for HIPAA violations and subsequent liabilities, one needs to consider the levels of data that would be considered prudent for texting. This, of course, would be a subjective consideration, and the very process of texting in the clinical area needs to be decided: prohibited or allowed?

Each medical practice or group must reflect on this issue as it affects them. Both the value and the risks of texting of clinical, potentially PHI data need to be recognized. There is no black-and white rule; it must be decided by you in your own practice. Write a clear policy and enforce it.

Claude J. Garbarino, CCS
Director of Medical Coding & Compliance
Castlerock Management Corp