Texting A Patient: Your Liabilities
By Andrew Feldman, General Counsel, NYSPMA
Many providers are attempting to increase availability and patient communication through text messaging. Many providers find it more convenience and efficient than e-mail and traditional phone messages. However, providers must recognize that text messages regarding a patient’s care will often contain protected health information and must be protected under both HITECH and HIPAA. The level of safeguards required limit the extent to which text messages may be used for patient communication and often render such communications so inefficient that traditional communication is preferred.
Any text message that involves information relating the patient’s treatment should be considered akin to a letter containing that same information. While most providers would include such a letter in the medical record, they often fail to provide the same level of care with digital messages. If your practice is not equipped to record and save text messages in the medical record, then providers should avoid that form of communication. Similarly, PHI contained in a text is entitled to all protections applicable under HITECH and HIPAA. This requires some level of assurance that only the relevant patient has access to the phone you are texting and that all texts are retained for required timeframes. Further, the patient is entitled to access to all texts involving themselves. There are additional concerns with respect to the extent that others, such as the cellular provider, may have access to the content of the messages and therefore require a Business Associate Agreement. Beyond that, security on the phone itself must be maintained to ensure that there is no breach of PHI should the phone itself be lost or stolen.
Consent from the Patient can assist in some of these area but it is necessary to ensure that the patient provides fully informed consent. Patients may not realize the extent to which information will be transmitted in such an unsecure format. In order to minimize exposure, it is recommended that text messaging not be utilized in your practice. However, if patients are expecting to be able to communicate through text, it is recommended that they provide written consent authorizing such communications and confirming the information that could be risked by such communication. It is also recommended that providers reduce the amount of PHI involved by limiting the communications to scheduling or similar areas. Sending text messages to fellow providers could alleviate some of the above concerns, but would not resolve the overarching concerns of security and the ease with which the communications can be intercepted.