The Past, Present and Future Of Texting Clinical Information

Relevant Laws, Regulations, Standards and Guidance

HIPAA

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule requires covered entities (including providers) and their business associates to implement technical security measures to guard against unauthorized access to electronic PHI that is being transmitted over an electronic communications network.¹ Texting poses a new challenge to providers who have been working to achieve Security Rule compliance in other contexts, such as with the electronic medical record. HIPAA does not explicitly prohibit texting of PHI but imposes certain security parameters in order to do so in a compliant manner.

Under the Security Rule, providers must implement a mechanism to encrypt PHI if possible.² Encryption is an "addressable" requirement under HIPAA, which means that if an entity concludes that it is not reasonable and appropriate to implement encryption software in its environment, the entity must document the reasons for that determination and implement an alternative security measure to accomplish the same purpose.³ Given that encryption technology has become readily accessible and available, it is difficult to take the position, even for small providers, that it is not reasonable and appropriate. In short, unless there is a very good reason not to, providers should encrypt electronic PHI in all circumstances, including texting.

Texting should not even be considered unless the texting platform is secured in all aspects (e.g., hardware, software, network, storage, and other components). A standard text message containing PHI that is sent from an unencrypted phone and without a secure texting platform is definitely not compliant with the Security Rule. Moreover, if the mobile device is lost, stolen, or hacked, the messages on that device could be easily accessible to unauthorized individuals if not encrypted and secured. Such access compromises patient privacy and could have damaging consequences to patients (e.g., identity theft). Unauthorized access could also have significant consequences for the provider. In February 2017, the Office for Civil Rights (OCR) announced a HIPAA civil monetary penalty against Children's Medical Center of Dallas based on an impermissible disclosure of unsecured electronic PHI (ePHI) stemming from, among other compliance issues, the loss of an unencrypted BlackBerry device.⁴ Children's Medical Center of Dallas paid $3.2 million in civil monetary penalties as a result of the incident and its non-compliance.⁵

The HIPAA Security Rule also requires certain measures for access control⁶ (unique user identification, emergency access procedures, automatic logoff) and integrity⁷ (i.e., implementing policies, procedures and technological strategies to ensure that ePHI is not improperly altered or destroyed) which could affect texting.

The Joint Commission/CMS

For entities regulated by the Centers for Medicare & Medicaid Services (CMS), there are also concerns specific to physician orders. The Joint Commission (which accredits numerous providers and works in conjunction with CMS) has provided guidance in this area, but has vacillated in recent years on its stance regarding texting patient orders.⁸ Most recently, in December 2016 The Joint Commission issued a clarification in collaboration with CMS explaining that despite prior guidance to the contrary, The Joint Commission still had concerns about transmitting text orders even when a secure text messaging system is used.⁹ The primary concerns centered around the lack of the ability to clarify the content of the order and the manual burden on nurses to transcribe the texts into the medical record. Further, the guidance concluded that computerized provider order entry is the preferred method for submitting orders (although verbal orders remain acceptable if computerized provider order entry is not possible in a given situation) and that use of secure text orders is not permitted at this time.¹⁰ The Joint Commission and CMS will continue to monitor technology and update guidance when appropriate.

The American Medical Association (AMA)

The AMA policy on Electronic Communication with Patients generally supports the use of email and text messaging in the practice of medicine, although it notes several compliance as well as related ethical concerns.¹¹ For example, provider-patient relationships should not be established through email or texting. Even after the relationship is established, providers should obtain patient consent prior to initiating clinical conversations by electronic communication.¹² Moreover, the AMA maintains that the content of the communications must always be professional and should not cross over to non-clinical personal matters.¹³ This balancing act becomes even more complicated when family members are involved. While it may be ethical and legal to discuss a patient's care with a family member if authorized, communicating electronically with family can open another can of worms and is best avoided.

General Risks

In addition to the regulatory risks, using texting for clinical purposes opens providers up to distraction, particularly if the device is also used for personal purposes. There are readily available horror stories of providers distracted by a text who then failed to enter an order or otherwise failed to complete the clinical task at hand.¹⁴ There is also a risk that providers using text messages may not enter them into the medical record, rendering the record incomplete and inaccurate and potentially leading to adverse patient safety events or medical malpractice claims. Moreover, the language of the text is not always what the sender intended, and does not always go to the intended recipient. In the medical context, these common texting experiences could be disastrous.

Practical Solutions

Texting in the clinical context can be useful but has numerous risks. To navigate those risks, providers and others should consider taking the following steps:

• Encrypt all mobile devices that are used to transmit clinical information.
• Ensure that texts are sent over a secure platform provided by a vendor who understands its obligations as a business associate under the HIPAA Security Rule as well as the practical parameters for designing the platform to be compliant with all HIPAA Security Rule requirements.
• Double up - require a username and password to use the secure platform.
• Do not allow the texting of any practitioner orders at this time.
• Adopt a remote wiping system that can be used should the mobile device holding clinical texts be lost or stolen.
• Specify a process for all employees/workforce members to immediately notify the entity’s Security Officer of lost or stolen mobile devices.
• Do not allow concurrent personal use of devices that are used to text clinical information. In other words, separate devices should be used for work and for personal purposes.
• Adopt a robust, complete texting policy that incorporates these suggestions and addresses all of the risks identified above before allowing any texting of clinical information.
• Train all workforce on the texting policy and enforce it rigorously.

Conclusion

The risk management and legal parameters that will ultimately govern the use of text messaging to communicate PHI have not yet caught up to the current state of technology. This is a familiar concept in healthcare law. For example, consider the many state medical records laws that assume paper records, e.g. requiring "legible handwriting." With texting, it is expected that within the next few years the multiple regulatory and guiding agencies (including CMS, OCR, the AMA, and The Joint Commission) will be under pressure to put forth practical guidance. Until then, the parameters and suggestions outlined in this article should help organizations remain compliant.

1.  45 C.F.R. § 164.312(e)(1).
2.  Id. at (e)(2)(ii).
3.  45 C.F.R. § 164.306(d)(3)(ii).
4.  The U.S. Department of Health and Human Services, Lack of timely action risks security and costs money, February 1, 2017, available at: https://www.hhs.gov/about/news/2017/02/01/lack-timely-action-risks-security-and-costs-money.html (Last accessed September 5, 2017).
5.  Id.
6.  45 C.F.R. § 164.312(a).
7.  45 C.F.R. § 164.312(c).
8.  In 2011, The Joint Commission advised that physicians could not text orders for patient care, treatment, or services. Then, in May 2016, the Joint Commission stated that practitioners could use a secure text messaging platform to send orders as long as the system met certain requirements.
9.  The Joint Commission, Clarification: Use of Secure Text Messaging for Patient Care Orders is Not Acceptable, Joint Commission Perspectives, December 2016, available at: www.jointcommission.org/assets/1/6/Clarification_Use_of_Secure_Text_Messaging.pdf (Last accessed August 5, 2017).
10.  Id.
11.  American Medical Association, 2.3.1 Electronic Communication with Patients, available at: https://policysearch.ama-assn.org/policyfinder/detail/2.3.1%20Electronic%20Communication%20with%20Patients?uri=%2FAMADoc%2FHOD.xml-2.3.1.xml (Last accessed: September 5, 2017).
12.  Id.
13.  Id.
14.  In 2014, an anesthesiologist was named in a medical malpractice suit claiming that the anesthesiologist had been looking at a cell phone during a heart surgery in 2011. The suit alleged that the patient had a low oxygen level for nearly 20 minutes but that the anesthesiologist failed to notice because of the cell phone distraction. Deenah Kogan, Smartphones: The Not-So-Smart Phones For Doctors On The Job, (May 13, 2016). Lawyers.com blog.