Magazine article Behavioral Healthcare Executive

Messaging Often Fails HIPAA Requirements

Magazine article Behavioral Healthcare Executive

Messaging Often Fails HIPAA Requirements

Article excerpt

Using a smartphone to send a quick text message or e-mail has become second nature to most of us. But some healthcare providers take advantage of that convenience to communicate with colleagues and patients, not realizing that they could be violating HIPAA regulations by sending protected health information (PHI).

Consultants and attorneys who work with providers on HIPAA compliance say texting PHI is a fairly common problem. SMS text services and Apple's ¡Message do not meet HIPAA requirements that insist providers maintain the confidentiality, integrity and availability of PHI. Among the troubles with text messaging are keeping information from being seen by an unauthorized recipient, keeping it secure, and making sure the information is available in the patient's medical record.

Behavioral providers who would like to use text messaging must exercise caution, says Sharon Hicks, a senior associate with Open Minds, a market research firm focused on health and human services. "Being able to informally communicate with people who are in treatment situations has shown some efficacy in studies," she says, "but the technical aspects of getting it done correctly are arduous and keep people from exploiting the technology as broadly as it could be used."

For example, she says, some studies indicate that text messages offering encouraging statements are reinforcing and help people stick to a care regimen.

"The difficulty is that you have to be careful not to put any protected health information in those messages," she says.

And it's just the content of the messages alone that must be considered.

"If a message includes personally identifiable health information, the principal risk I have seen is an unintended recipient," says Nathan Mortier, an attorney with the firm Mellette PC in Williamsburg, Va. "We have all texted the wrong person. Many providers don't realize that if they are going to be texting health information to other providers, if they text the wrong person protected health information, it becomes a breach subject to pretty stringent reporting requirements."

Also, there could be medical decision-making taking place in a written format that is not being saved in the patients' records, and therefore not available to future providers caring for the patients or the patients themselves.

"What we have seen is that texting often replaces phone calls," Morder says. "Phone calls are not recorded and added to the medical record, but texts create a written record, and written records need to be included in the patient's medical record if they include PHI and are relevant to a patient's care," he says.


For messaging between providers, there are a number of new apps available on the market, and many of them purport to be compliant with HIPAA requirements. These apps generally require that individuals log in with a specific user name and password beyond what is on the mobile device. This helps ensure that the person entering information or using the service is verified, Mortier says. They may also have features that help automate the routing of messages to electronic health record (EHR) systems. Some EHR vendors are starting to offer add-on integrated secure messaging services.

Likewise, some health texting apps also include a feature that will limit the universe of recipients of information.

"Instead of having access to their entire contact list on your phone, it might only allow texts to other providers involved in that patient's care," Mortier says. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed


An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.