There are several reasons HIPAA compliant texting means ditching your personal cell phone and finding a more secure device. In this post, compliance expert Rick Garfolo explains why.
It finally happened. I got a drunk text from someone. I guess that isn’t abnormal nowadays, but what struck me was who it was from. It was from my Chiropractor. A medical professional drunk texted me from her personal cell phone, but I had no idea it was her personal cell phone number because the messages all looked very official — even with the “Reply C to confirm” bottom line.
And yet here she was sending all of her patient's text confirmations, links to online records, reminders for past due appointments — all from her personal cell phone, with a very blatant disregard for HIPAA. It got me thinking about how many dental offices may be doing the same thing.
Texting any patient information falls under the category of ePHI (Electronica Protected Health Information). This goes for texting office-to-patient or even between doctors and their teams.
As we all know, a large part of HIPAA is about the privacy of patient information, both Protected Health Information (PHI) and Personally Identifiable Information (PII). We’ve covered what the difference between the two is, and what is included in each in a previous article you can find here. The short version is PHI is health information like treatment planned services, completed services, and health history information. PII is last name, first initial last name, phone numbers, email addresses, addresses, zip codes or any number of other items someone could use to identify you. Technically, patient information must be protected at all times.
The problem with texting is that when you send a text, at least three copies now exist. There's one on your device, one on the device of the person you messaged, and one on the network used to send it, adding one for each network used (I have Verizon, you have AT&T, that’s two).
Your phone is probably password protected and encrypted (as all data in motion must be). However, is the person’s phone you sent it to? What about the carrier? Is their network secure? Do you have a business associate agreement with them? And what if you lose your cell phone? If a hacker (or any 14-year-old) gets ahold of your lost phone, password or not, they can get to all the information from it.
HIPAA goes into excruciating detail on the safeguards that must be present when protecting patient info. You can certainly read all about them to see if you meet all the standards.
Or you can just believe me when I say that you don’t — at least not if you're texting patients from your personal device. It's easy to see why most health organizations prohibit the use of texting of ePHI. But is that reasonable advice in 2019? I certainly don’t think so.
So what alternatives are we left with? Find a HIPAA compliant texting tool that stores the sent text on an encrypted and secure server. Also ensure that it doesn’t require you to use your unsecure personal cell phone when texting patients.
At the end of the day, it is our responsibility to maintain compliance with the HIPAA laws. With the available options out there for HIPAA compliant texting, there is no good reason to risk it. After all, you would want your doctor or hospital to provide the same courtesy to you.
RevenueWell Messenger is a secure texting platform that enables you to send as many as 10 texts in the time it takes to make one phone call! Learn more about how you can fill gaps in your schedule with RW Messenger!