The Joint Commission (JCAHO) weighed in recently regarding the issue of physicians using text messages to transmit orders. They didn’t explicitly state that their opinion was related to the HIPAA regulations, but we infer that HIPAA was part of the thought process.
“It is not acceptable for physicians or licensed independent practitioners to text orders for patients to the hospital or other healthcare setting. This method provides no ability to verify the identity of the person sending the text and there is no way to keep the original message as validation of what is entered into the medical record.” This statement appears in the JCAHO Frequently Asked Questions section regarding their Standards.
Texting was in its infancy when the HIPAA Security and Privacy regulations were drafted sometime in the early 2000s. Now it is a mainstream communication method that many find convenient, practical and efficient. Evaluating SMS text messages in the context of HIPAA requires some analysis of the technology and interpretation of the regulations.
HIPAA has numerous requirements that must be considered in regard to texting. Information systems must include unique user identification, or User Ids, so that users can identify themselves. Once identified, the systems must provide a method of “authentication”, which is usually a password, to prove that he or she is the individual involved. The lack of this functionality in the context of a physician sending a text message to a nurse appears to be part of JCAHO’s thinking with this guidance.
Other HIPAA factors to consider include the security of the message while in transit. Data in motion must be encrypted according to the HIPAA regulations. It is not clear that all cell carriers provide “end-to-end” encryption of their text messages. It is certainly not a part of any service guarantee.
Finally, we have the issue of including storing confidential information on millions of cell phones. Text messages are usually saved by default, and cell phones are routinely lost or stolen. This poses a risk that must be addressed as part of the HIPAA requirement to insure “physical, technical and administrative safeguards” to protect the confidentiality of protected health information.
One might point out that voice phone calls, which are used every day at every hospital across the US, do not include robust authentication capabilities. This is true, however the federal government has asserted that voice phone calls are not regulated by the HIPAA Security Regulations.
Multiple vendors provide services and applications that address all of these HIPAA concerns. However, these approaches usually require that individuals download an application onto their phones. Consequently, the trade-off is that some of the convenience of text messaging is lost when these approaches are used.
