Can I exchange text messages with my patients?
The quick, simple answer is that the best practice is NOT to text patients.
The more detailed answer is yes, you can text patients, but there are risks involved and steps that your office should take to mitigate those risks.
When discussing texting in this article, this is referring to traditional cell phone to cell phone texting.
First and foremost; texting is not secure. While the message is in transit, the message is not encrypted. Therefore, a text message should not include sensitive patient information also known as Protected Health Information (PHI). A general appointment reminder message is acceptable.
Once you text a patient, they can text you back.
Why is it a bad thing if patients can text the office?
Patients may send personal medical details. Patients have the right to send their own information through unencrypted channels. However, once that text message is received by your office, that information is your office’s responsibility.
Your office will have to protect the confidentiality of the information that your patients text you. Cell phones can be at higher risk than other hardware (e.g. computers). Current cell phones typically have a variety of applications gathering vast amounts of data. When you install an application, you will often see screen messages informing you that the application is requesting access to specific information on your phone. Do you know what data the different applications on your phone is gathering? A rogue or poorly designed application may give the application developer access to information that you have received or sent via text message or a list of your contacts.
Like the operating system on a computer, it is important to keep your cell phone software up-to-date. Unlike computers, cell phones can access the internet through the phone network. Who hasn’t connected their cell phone to WiFi for a faster connection? You go into a coffee shop to meet up with friends and connect to the free public WiFi. That network can be unsecured and vulnerable to attack. Connecting to any network that you do not manage opens your device to the risk that the network is not being properly managed. If you must connect to another network, you can use a VPN to encrypt the connection.
Cell phones are a great tool to check your email quickly. Emails are a well-known source of malware. You should have security tools in your office to protect your network from potential email threats. This may be additional software set up on your network. It may be features within your office email program. Do you have these tools set up on your cell phone too? It is likely that you wouldn’t only check your work emails on your phone, but your personal emails too. Personal emails are likely to be free accounts that have very limited security tools to prevent malware. Just like office computers, if a cell phone is being used in association with patient information, the best practice is to not open personal emails and consider what tools you have to protect your cell phone from potential work email threats.
A source of ransomware that has been more common to cell phones is zero-click ransomware. Typically, you have to click on a link or open an attachment for a ransomware to be downloaded onto a device, but a zero-click ransomware automatically installs on the device without any clicks. A hacker can send messages containing malicious code. Once your device receives it, the malware is downloaded without any action on your part. A well-known example of the zero-click ransomware is Pegasus (Read More: https://tldsystems.com/can-your-phone-be-spied).
Have you ever lost or misplaced your cell phone? Has it ever been stolen? Cell phones are common targets of theft. They are also commonly misplaced or lost. There are many applications that allow you to track the location of your cell phone (remember to be cautious about what applications you download and what permissions you give them). However in the time between your cell phone leaving your possession and retrieving it, there is no telling what happened to the device. There could now be malware on the device, login credentials could be compromised and text messages sent by patients could be stolen. In a case where failure to encrypt mobile devices led to a $3 million HIPAA settlement, OCR Director, Roger Severino, said “Because theft and loss are constant threats, failing to encrypt mobile devices needlessly puts patient health information at risk." (Read More: https://www.hhs.gov/guidance/document/failure-encrypt-mobile-devices-leads-3-million-hipaa-settlement)
Once a patient texts you their health information, they have communicated relevant information to their care. It is your responsibility to save and incorporate that information as part of their health records. This should be done immediately to ensure that all providers involved in the patient’s care have access to all information related to clinical care and decision making. Moreover, as we have stated, cell phones are known to go missing. There are no backups for text messages. If you do not incorporate medical information conveyed to your office via text in the patient’s chart immediately, you run the risk of losing that data.
Best Practices
Low Risk: Don’t text patients.
Medium Risk: Text patient’s general appointment reminders using a service that only enables patients to confirm or cancel appointments when responding to the text message. Get a Business Associate Agreement with the service.
Medium/High Risk: Patients can text back. Implement internal policies to incorporate any messages received into the patient’s charts as soon as they are received. Any messages that are sent out include a footer that text messages are not constantly monitored and in the case of an emergency patients should call 911.
High Risk: Respond to patient’s text messages about their care. All communications need to be documented in the patient’s charts when they occur. Messages should be double-checked before being sent out. They should not be written in shortform or include any abbreviations.
Cell Phone Policies
Never connect to a network that is not managed by the office. If you do need to connect to a different network, you must enable VPN.
Practice good email hygiene. Do not open personal emails. Do not open suspicious emails sent to the office email.
Do not share cell phone passwords or pass your unlocked cell phone to others.
Immediately document any text message communication with patients in the patient’s chart including a notation that the communication was via text message. Then immediately delete the message from the cell phone.
For more information on protecting the privacy and security of your patient records you can schedule a meeting with TLD systems here or contact TLD Systems at info@tldsystems.com.
Read Comments