Can my text to a parent lead to a HIPAA violation?

Sep 02, 2014, 4:00am

Texting has become so popular because it is instantaneous, convenient and direct. Without appropriate safeguards, though, texting can lead to violations of the Health Insurance Portability and Accountability Act (HIPAA).

A 2-year-old patient, Danielle, is brought by her distraught mother to see Dr. Derm. Apparently she is concerned that her infant’s perianal warts have some connection to her estranged husband. Dr. Derm agrees that this may be a possibility and reports his findings to the state child welfare bureau. Danielle’s mother has been family friends of Dr. Derm for years - as has her husband. They both have his cell number. 

Three weeks later, Dr. Derm receives a question about the warts by way of text message from a person whom he assumes to be Danielle’s mother. It is really from the father. Dr. Derm responds by text message and states that he has filed a concern with the state. The mother, although acknowledging that both parents have joint custody of the child, is furious that Dr. Derm texted his actions to the father. She sues Dr. Derm for a HIPAA violation. Dr. Derm has never heard of such a lawsuit. Should he be worried?

Texting has become so popular because it is instantaneous, convenient and direct. Without appropriate safeguards, though, texting can lead to violations of the Health Insurance Portability and Accountability Act (HIPAA).

Dermatologists are smartphone “super-users.” According to Manhattan Research, more than 81 percent of physicians now use a smartphone to communicate and access medical information. The attractions are clear-cut. Phone applications put libraries full of information at our fingertips. Texting reduces time waiting for our patients and our peers to call back and may expedite and improve patient care.

Next: Convenience may create privacy concerns

 

 

 

Convenience at a cost

The very convenience that makes texting so inviting may create privacy and security violations if messages containing protected health information (PHI) are not properly safeguarded. Text messages to our peers and patients should be encrypted and exchanged in a closed, secure network.

However, according to a member survey conducted by the College of Healthcare Information Management Executives, more than 95 percent of those surveyed said their physicians texted; more than 57 percent did not use any form of encryption software. The underlying reasons for poor compliance with encryption could be due to lack of technical knowledge or to avoid the inconvenience of sending a message to someone who may not be able to unencrypt it. 

With penalties starting at $50,000 per HIPAA violation, safeguarding texts should be of utmost priority. In addition to encrypting texts, dermatologists may want to consider installing auto-lock and remote wiping programs. Auto-lock will lock the device when it is not in use and requires a password for unlocking. Wiping programs can erase data, texts and email remotely. Both types of safeguards provide additional protection in the event a device is lost or stolen.

A cavalier attitude when composing a text message can also pose a legal risk. The informal nature of text messaging may lead to the use of abbreviations which is bound to have potential for miscommunication. Furthermore, a deleted text is never fully deleted, and the metadata (data left behind) is almost always available in a lawsuit.

In the end, the following steps are recommended: Enable encryption of your mobile device. Have a texting policy that outlines the acceptable types of text communications and when perhaps a phone call is instead warranted. Install auto lock and remote wiping programs to prevent lost devices from becoming data breaches. Know your recipient and double check the “send” field to prevent sending confidential information to the wrong person. Avoid identifying patient details in texts. Lastly, assume that your text can be viewed by anyone in close proximity to you.

Thankfully, Dr. Derm’s phone was fully encrypted and protected. Although one might question the wisdom of his discussion with Danielle’s father, Dr. Derm is not guilty of a HIPAA violation.  

Read more of Dr. Goldberg's legal columns:

Fleshing out the physician-patient relationship in a virtual world

As an expert witness can I be sued?

Teledermatology fraught with liability issues