Secure Text Messaging

Due to the speed and convenience of texting, many physicians use this form of communication to consult with other providers, exchange lab test results, and other patient information. If text messaging is used to transmit or receive electronic protected health information (EPHI), it must be evaluated as part of the covered entity’s Security Risk Analysis. As with all transmissions of EPHI, safeguards must be in place to ensure the integrity and confidentiality of the data.

There are several secure messaging vendors in the marketplace that offer encrypted mobile applications that will secure messages sent to the provider’s phone, responses sent back, as well as data at rest. Data that is properly encrypted is considered “secure” by Security Rule standards.  This means that the data has been rendered unusable, unreadable or indecipherable to unauthorized persons or entities.

In addition to the threat of malware or interception of text messages, the risks posed by the theft or loss of a smartphone must also be considered.  If the EPHI stored on the device is not properly secured, the theft or loss could result in a privacy breach that would not only require notification of affected patients and the Department of Health and Human Services, but also the media if the breach were large enough.

All text messages containing EPHI, whether encrypted or not, should be managed with the following minimum safeguards:

  • Information that individually identifies a patient or a patient’s specific condition should be limited to the minimum necessary.
  • Immediate reporting of a lost or stolen device must be encouraged so that actions can be taken to secure the device remotely, and/or to provide notice to patients if the EPHI was unsecured.
  • Any EPHI that is received via text, that is used to inform a decision regarding a patient’s care, must be annotated in the patient’s medical record.
  • Text messages should be deleted on a regular basis in order to limit the amount of information stored on a device. If the information is no longer needed, storing it only increases the risk of a large privacy breach, etc.
  • A Business Associate Agreement is necessary with any vendor that stores text messages (containing EPHI), such as wireless carriers or telecommunication vendors.

The covered entity’s Security Officer should maintain a list of all mobile devices that are used to send/receive text messages containing patient information so that he/she can ensure that the information is properly removed from the devices prior to re-use, donation or disposal.