The risks of text messaging in hospitals & healthcare environments





The adoption of mobile technology within healthcare environments has increased significantly in recent years, as more and more clinicians turn to their devices to coordinate care and manage patient health outcomes. With an estimated 95% of Americans now owning a cellphone, and 77% owning a smartphone , mobile messaging apps offer a familiar line of communication between caregiver and patient, and amongst busy care teams.

However, despite the appeal of messaging apps, the use of text messaging specifically remains a contentious topic in the healthcare industry:

In 2011, The Joint Commission put a ban on physicians or licensed independent practitioners (LIPs) requesting orders for patient care, treatment, or services to hospitals or other healthcare settings via text message, due to the lack of security offered by text messaging applications. The ban was briefly lifted last spring, and then temporarily reinstated again the following summer, and then in December 2016, fully reinstated again, with the following reasons given:

  • Burden on nurses – Nurses would have to manually transcribe text orders into the EHR, which could adversely affect their ability to carry out other patient care duties.
  • Asynchronous interaction – The process for texting an order is one that requires additional steps to contact the ordering practitioner for any necessary discussion prior to order entry. Verbal orders on the other hand allow for real-time, synchronous clarification and confirmation of the order as it is given by the ordering practitioner.
  • Potential for errors and delays – In the event that a CDS recommendation or alert is triggered during the order entry process, the individual manually entering the order into the EHR may need to contact the ordering practitioner for additional information. If this occurs during transmission of a verbal order, the conversation is immediate. If this occurs with a text order, the additional step(s) required to contact the ordering practitioner may result in a delay in treatment


Administrative concerns aside, the greatest risk posed by text messaging in the healthcare environment is the potential to expose protected health information (PHI), which under the rules of HIPAA can carry huge fines and a lot of negative exposure. By their very nature, text messages are not secure, because the information is not encrypted while in transit or at rest, making sensitive information vulnerable to interception at any point of its journey between sender to recipient. Additionally, most text messaging apps offer little or nothing in the way of reader verification, so there’s no way of knowing when the intended recipient has received the message, or if it was even received at all.

 

Mitigating the risks of text messaging

Text messaging should be addressed under the HIPAA security rule, as part of an organization’s risk analysis and management strategy. When analyzing risks, organizations should consider the following:

  • Establish where ePHI is created, received, maintained, and transmitted. In the case of text messages, it is mobile phones but these could also be stored on workstation software or in the cloud.
  • Identify and record any anticipated threats, and the likelihood of these threats occurring,
    e.g.
    ○ Loss of theft of device
    ○ Improper disposal of device
    ○ Interception of ePHI by unauthorized persons
    ○ Availability of ePHI to persons other than the mobile device owner

Once the risks have been identified, organizations should draw up a secure text messaging strategy that addresses critical administrative, physical, and technical safeguards, including, but not limited to the following key areas:

Ban all text messaging indefinitely – Until risk analysis has been completed and policies are in place, no staff members should be using text messages to communicate with patients or other staff members. Even a seemingly innocent message can become a big problem if it falls into the wrong hands and contains enough information about a patient to make them personally identifiable.

Establish clear policies – A text messaging policy should outline who is authorized to send and receive clinical text messages, what those messages should or should not contain, and make it clear what the repercussions could be for getting it wrong. It is not enough to just develop policies, they should be clearly communicated with all staff members.


Develop a statement of understanding
– Organizations that use text messages to communicate with patients should make it clear that patients have the option to choose a preferred method of communication; if a secure text messaging platform is not in place, patients must be informed of the risks that exist in using unsecured messaging apps.

Lock down all devices – Whether an organization uses text messaging or not, devices should remain secured at all times to prevent unwarranted access to information. Staff should be encouraged to use strong passwords (and to update them regularly) as way of authentication, and ensure auto-lock is enabled after periods of device inactivity, to minimize the risk of an unauthorized users gaining access to the device if lost, stolen, or left unattended.

Implement secure mobile messaging – Text messaging is inherently risky, and can cause administrative issues if not managed properly. The alternative is to invest in a secure mobile messaging platform, which can offer a number of key benefits, such as: ensuring all messages are protected through encryption, while in transit and at rest; notifying senders when messages have been opened and read, and; integration with EHR systems, allowing for a seamless workflow.

The benefits of text messaging – convenience, familiarity, cost and so on – make it an appealing solution for time-strapped clinicians, however these factors should not be at the expense of privacy and security. There’s no avoiding the fact mobile devices will become an increasingly integral part of healthcare management in the future, however in order to enjoy the rewards, organizations must first address the risks, and invest in the right tools for the job. Failing to address text messaging and mitigate the associated risks can lead to heavy fines or worse – and if recent history has taught us anything, it’s that no organization is exempt from the rules of HIPAA.

The U.S. Department of Health and Human Services provides extensive advice and suggestions regarding mobile devices and text messaging in healthcare organizations on its website, www.healthit.gov.

Gene Fry has been the compliance officer and vice president of technology at Scrypt, Inc. since 2001 and has 25 years of IT experience working in industries such as healthcare and for companies in the U.S. and abroad. He is a Certified HIPAA Professional (CHP) through the Management and Strategy Institute, a Certified Cyber Security Architect through ecFirst and certified in HIPAA privacy and security through the American Health Information Management Association. Most recently achieved the HITRUST CSF Practitioner certification from the HITRUST ALLIANCE. He can be contacted through https://www.docbookmd.com/

Empower care teams with HIPAA-compliant secure messaging and real-time alerts to streamline communication, accelerate workflows, and enhance team collaboration. For more information, please visit www.docbookmd.com. DocbookMD is built by Scrypt, Inc.