Text is an umbrella term that covers any electronically transmitted written message between two devices—And it’s is a widely used form of communication today. Texts are showing up in both our personal and work lives on a daily basis. In fact, even medical practices have been using instant messaging more frequently to communicate to coworkers and patients.

HIPAA Compliance Texting

But, when sending instant messages, there are some important things to know. There’s a very real potential for loss of information and HIPAA compliance issues. This is because:

  • Standard SMS texts aren’t encrypted, leaving your information vulnerable to hacker’s attempts.
  • You don’t have control over what happens to a message after sending it.
  • Documentation must be present in the patient’s medical record, which Is difficult to do with texts.

But what do the HIPAA laws say about texting private information? Shockingly, both HIPAA laws and the Office for Civil Rights (OCR) don’t have standard rules for dealing with sensitive data communicated via text. Instead, they maintain that it’s the responsibility of the healthcare provider to ensure text security. This is surprising, considering the growing number of medical providers who use texts to communicate personal information.

Although texting is fast and efficient, the most common form of texting, short message service (SMS), isn’t secure for use in a healthcare environment. SMS text messages can be intercepted during transit.

Any form of communication presents a risk. There’s always the potential that data transmitted over text could be stored in an unsafe way, or deleted when it should be saved for medical records. This is a concern as documentation is extremely important when dealing with medical records.

In a survey conducted by the Institution of Safe Medication Practices medical professionals were asked how they felt about the practice of texting medical orders. They said that

  • More than 50% of patient safety officers don’t believe medical orders should be texted.
  • 40% believe texting medical information is acceptable while using encryption.
  • 26% do not think this practice should be allowed at all.

Some medical providers believe that texting is convenient, increases workflow and that it’s no riskier than other forms of communication for personal data. However, this is disputed as in person or over-the-phone information is more secure because you can also tell who you’re delivering the information to.

It’s important for medical providers to be in line with HIPAA privacy and security policies when they choose to share information via text. These policies specify the manner in which personal medical information is allowed to be shared.

  • HIPAA Privacy Policy- Medical providers can only release information to authorized personnel.
  • HIPAA Security Policy- Providers must protect patients’ information and should include a plan of action if a breach occurs.

It’s also a good idea to understand and follow these policies when dealing with sensitive data. Patients don’t want their private data exposed, and medical providers don’t want to put their practices in jeopardy due to a data breach. All parties must be aware of how and to whom information is communicated. Plus, texting private information must only be done with the patient’s approval.

Be aware of how your staff and patients are communicating, as well as what kind of information they’re sharing. Texts are proven to be risky. This is due to the instability of the messages, and inability to control what happens to the information after sending it—There’s a great potential for something to go wrong.

It’s unlikely that communication through text will stop anytime soon. In fact, it will probably increase—We’ll be seeing it in all facets of our lives. In the meantime, there are steps you can take to make texting more secure:

  1. Use encryption- By using encryption, you ensure the privacy and protection of any information that’s transmitted.
  2. Security Risk Analysis- A risk assessment will reveal areas where your organization’s protected health information (PHI) could be at risk.
  3. Limit sharing of personal information- Don’t send personal information. Instead, schedule a call or meet in person.
  4. Outline policies- Make sure you outline texting policies in administrative and technical policies.
  5. Update waivers and release forms- This will tell you what forms of communication the patient is comfortable with.

When dealing with highly personal information such as medical records or financial information, it’s essential that standard requirements are met. However, this is difficult when those who set the standards don’t have an outlined policy in place. Since HIPAA and the OCR have yet to specify what is or is not allowed, there are many dangers when sending sensitive data through text. The bottom line? —If you don’t feel comfortable texting information, don’t text.