Physician texting provides quick communication -- and an easy way to violate HIPAA

After years of using pagers, and constantly waiting on return calls, physicians now consider texting to be an efficient and fast way to connect with colleagues.

Although the technology may result in faster and better communication, physicians who text other doctors could be exposing themselves to privacy and security violations of the Health Insurance Portability and Accountability Act.

Though many electronic medical record systems come with secure messaging components, using them requires logging into that system. Sending a simple text from a smartphone -- which more than 80% of doctors now carry -- is much simpler.

"Physicians are not so much concerned with HIPAA compliance as they are about work flow and physician communication," said James French, MD, executive director of the hospitalists group at the Cone Health System, a five-hospital system in Piedmont, N.C., during a webinar on texting.

Dr. French said that once the group realized the old method of paging a physician and waiting for a return call, which sometimes took up to 30 minutes, could be replaced with the immediate communication method of texting, it set out to find a way to do it securely. The group implemented Tiger Text, an application that works with any smartphone to establish a secure and encrypted texting network.

Attorney Andrew Blustein, partner at Garfunkel Wild in New York, said physicians should check to see if their devices have encryption capabilities for all incoming and outgoing messages because some do not.

Many physicians who have encryption-enabled devices don't have the technical knowledge to know how to use these services. Others have found that because encryption can interfere with communication if the physician is sending to someone who doesn't have the key to unencrypt the message, doctors choose not to use it. A June and July survey of 91 members of the College of Healthcare Information Management Executives found that 96.7% of those surveyed allowed physicians to text orders to nursing staff, and 57.6% said they do not use encryption software.

If message encryption isn't being used, Blustein said, there are other technical safeguards that can help mitigate those risks, such as autolock and remote wiping. With autolock, if a phone is set down, it automatically will lock after a few seconds, requiring a passcode to access and use the device. With remote wiping, if a phone is lost or stolen, it can be wiped clean of all emails, texts and data.

There also are good practices that physicians should follow to help ensure that texting doesn't violate HIPAA, said Marc Auerbach, an attorney in the Miami office of K&L Gates.

Know the recipient. Auerbach said physicians should know that inadvertently sending a text to the wrong person could be a HIPAA violation. Even if the number the physician is texting to is correct, he or she doesn't know if the owner of the phone -- and the intended recipient -- is the one holding the phone when the message is read, Auerbach said.

Watch for spying eyes. A text read or typed in a crowded elevator or at a dinner table, for example, has the potential of being seen by someone other than the recipient or sender.

Auerbach said use of identifiable information should be avoided, especially if the physician is texting in an unsecure network. Using generic references to patients such as "that patient we discussed last night" can help keep the identity under wraps.

But experts warn that those innocent conversations easily can place one in dangerous territory. For example, a doctor receives a text about "that patient we discussed last night" and responds with, "She was diagnosed with an infection and admitted to the hospital. Room 314." The texts have now exposed the patient's gender, diagnosis and the date of hospital admittance, which could be used to identify the patient and be considered a violation.

If such a situation occurs, Blustein said, the text should be deleted. Then it can be used as an educational opportunity. The physician can explain to the sender why what he or she did was troublesome. "Everyone needs to acknowledge we are still learning," Blustein said. As medical practice owners, physicians are responsible for educating everyone in their offices.

Training should be done and policies put in place, Blustein said. The policy needs to include procedures for dealing with incidents like lost phones. Any lost devices or incidents of exposed data should be reported to the delegated privacy officer in the practice.

Also important for physicians to understand is that texting should not be used as a substitute for a phone call. Though a text exchange can accomplish the same thing as a phone call, the same rules don't come into play, Auerbach said, because a phone call legally is not an electronic exchange.

"If you can pick up the phone and talk to the doctor, pick up the phone and talk to them," Blustein said. "Don't become lazy and just text all over the place."