I was recently having dinner with a physician client of mine and, as we were about to order, he received a text message. The on-call physician had texted him about a patient’s condition. After my client responded via text message, he put his phone face up on the table without clearing the screen. As I glanced down to pick up my menu, I couldn’t help but see the text conversation my client had had with the on-call physician. Luckily, the patient’s name had been in a previous message that was not visible on the screen. Had my client just violated the Health Insurance Portability and Accountability Act (HIPAA) by inadvertently allowing me to glimpse at the text message conversation?
Two of the key benefits of technology are efficiency and convenience. When a technology can enable physicians to provide patient care in a more efficient and convenient manner, it usually is a win–win situation. It is more efficient and convenient for a physician to receive a text message concerning a patient’s test results, glance at it, and then get back to seeing another patient who is in need of more imminent attention. The alternative would require the physician to physically go to the patient’s record to view the test results, which takes time and focus away from another patient who may be in need of more immediate assistance.
How about when two physicians are treating the same patient? One physician wants to report to the other about the patient’s test results, and the other physician is in clinic throughout the day. Rather than the first physician waiting on the phone for the other one to become available or paging the physician, he or she could convey the information via text message. If there is follow-up information or discussion required, then the parties can discuss that at a later convenient time.
As handy as text messaging may seem, allowing a physician to more easily handle a busy caseload, there are significant HIPAA concerns related to texting a patient’s protected health information.
Could Texting Violate HIPAA?
Under HIPAA, physicians are required to protect the privacy and security of a patient’s healthcare information. HIPAA allows healthcare providers to disclose a patient’s healthcare information for treatment, payment, operations, and other distinct purposes. However, HIPAA requires that healthcare providers maintain administrative, physical, and technical safeguards to protect this information. This safeguard requirement is what has many physicians’ attorneys worried that their clients are violating HIPAA on a regular basis.
To a physician, a simple text message does not appear like it could possibly jeopardize these safeguards, but this perception is incorrect. For starters, it is difficult to be sure that there is no one in eyeshot of your phone screen. If a physician is at a busy restaurant and a text message comes in containing patient information, the physician may not be the only one seeing the text message. This has HIPAA implications because the physician has compromised the privacy of the patient’s healthcare information. The damage is done once an unauthorized person views the patient’s healthcare information.
Use the same physician as an example again, but this time the physician is alone at home, and there are no onlookers who could catch a glimpse of the patient’s healthcare information. This scenario appears to be safe, but a text message is stored on different servers, not just on the phones of the sender and receiver. If a hacker were to break into one of these servers and obtain those texts, this would constitute a security breach under HIPAA. It does not matter that the hacker had no intention of obtaining a patient’s health information and did not even know what he or she was getting. It is, nevertheless, a HIPAA violation.
Take that same physician again, but this time the physician leaves his or her cell phone, which contains a text message with a patient’s healthcare information, at a restaurant. Someone picks up the cell phone and, in an effort to determine the phone’s owner, sees the text message that contained a patient’s healthcare information. Even though that individual had no intention of viewing the patient’s healthcare information, it is still a HIPAA violation, because an unauthorized person viewed the patient’s personal healthcare information.
Preventing HIPAA Violations
Although there may not be a HIPAA violation until a patient’s healthcare information is actually intercepted, the threat of a violation is very real. The threat of a HIPAA violation remains with every text message regarding a patient that a physician sends or receives. It is advisable for physicians to password-protect their cell phones. It is even better if the cell phone software requires the password to be changed on a regular basis. Although passwords may help prevent some security breaches, a password may be nothing more than a minor inconvenience that can be circumvented by a hacker. There are also software programs and applications that can be downloaded that encrypt and decrypt messages. Some of these apps can send messages via a secure server. However, most physicians are not currently employing these apps, and those who do find them cumbersome to use. Even those programs that advertise that they provide a secure network to transmit protected information may not be “HIPAA proof.”
Despite the multitude of “security” options that are available to physicians, none on the market is 100% guaranteed to prevent HIPAA violations. The best option that a physician can choose is to contact an expert to determine how electronic information will be relayed to and from the physician. Only then can physicians truly know what risks they are creating for their patients, themselves, and their practices.
Steven M. Harris, Esq., is a nationally recognized health care attorney and a member of the law firm McDonald Hopkins, LLC. He may be reached at firstname.lastname@example.org.