Text Messaging and PHI
Text messaging has become a major part of how we communicate. Texting is an essential and valuable means of communication, particularly among healthcare team members. One of the many benefits of messaging over mobile phone apps is that they facilitate rapid dissemination and interaction. But this ease of dissemination can cause real problems for physicians and hospitals if the information is disclosed improperly. The Centers for Medicare & Medicaid Services (CMS) and the Joint Commission take the position that texting of orders is prohibited.
Text messages fall under the scope of HIPAA if they involve protected health information (PHI). In order to be HIPAA compliant, the electronic communication network through which PHI is being transmitted must have security measures to guard against unauthorized access. SMS and insecure messaging apps fail to comply with HIPAA’s requirements to safeguard against unauthorized access because, among other reasons, phones may be lost or stolen and accessible by others. HIPAA requires electronic communication networks to be encrypted. SMS messaging is not encrypted and although some messaging applications (such as WhatsApp) claim to be encrypted, it is important to remember that encryption does not equal HIPAA compliance. These messaging applications do not have an agreement with the University and thus are not permitted as a secure means of exchanging PHI. Without a formal agreement, the University does not have control over how PHI is being used, disclosed or accessed, so the information shared through these messaging applications is not contractually protected.
The University is aware that the use of efficient and clear text messaging between University healthcare providers may reduce the number of medical errors, decrease healthcare costs, and improve patient outcomes. Hence the University is currently testing a secure, mobile messaging platform and hopes to launch this available in the near future. But until a fully HIPAA compliant secure text messaging system is in place, PHI should not be sent via text message.
Below are some recommended alternatives to facilitate communication:
- Send PHI securely via University email. Emails within the University are automatically encrypted and additional checks for sensitive data are performed on outbound emails.
- Send and receive large attachments through the University’s secure file transfer portal https://secure.send.miami.edu.
- Send a text message (with no PHI) to the receiving provider informing them that an email or file transfer has been sent with the requisite PHI details.
It is important to remember that you are entrusted with maintaining the privacy of our patients, employees, students, donors and research participants.