Text Messaging Exposes Physicians to Significant Security, Privacy Risks

June 25, 2014
Katie Eder, Managing Editor

Family Practice Recertification, June 2014, Volume 32, Issue 6

Although many physicians currently utilize a mobile device to communicate more efficiently with colleagues and patients, most of them neither consider the substantial privacy and security risks involved with text messaging, nor include the health information they send and receive via text message in their medical records.

Although many physicians currently utilize a mobile device to communicate more efficiently with colleagues and patients, most of them neither consider the substantial privacy and security risks involved with text messaging, nor include the health information they send and receive via text message in their medical records.

To help physicians avoid potential legal issues related to text messaging, Barry B. Cepelewicz, MD, JD, outlined several safeguards against liability in an article published May 23, 2014, in Medical Economics.

According to Cepelewicz, even physicians who take appropriate steps to ensure the privacy and security of their emails “inexplicably treat their text messages differently — and to their potential detriment.” To afford text messages the same vital protections, Cepelewicz recommended that any text including information relating to a patient’s treatment should be incorporated into the medical record.

“Most physicians would readily agree … that a telephone conversation relating to a patient’s care should be memorialized in the (medical) record,” Cepelewicz wrote. “Similarly, if your text messages include protected health information (PHI), then you must ensure that you are … retaining the text messages for the legally required period of time (and) allowing your patients to access and amend the text messages. If you simply delete all your texts thinking that is the best form of protection, you might find yourself in violation of the law.”

Furthermore, Cepelewicz pointed out that a person who sends a text message never knows for certain whether it has been read by its intended recipient, which exposes the communication to significant privacy and security risks. For that reason, the Joint Commission previously declared “it is not acceptable for physicians or licensed independent practitioners to text orders for patients to the hospital or other healthcare setting(s), (as) this method provides no ability to verify the identity of the person sending the text.”

Although Cepelewicz said the most obvious way for physicians to reduce the risks associated with text messaging is to prohibit its use, he noted that option is unrealistic for many practices, so the best alternative is to establish texting policies that implement safeguards against threats and vulnerabilities to PHI.

According to Cepelewicz, such policies may require:

  • Only including certain non-urgent information in text messages
  • Verification of who received the message
  • Password protection and encryption of mobile devices used for text messaging
  • Incorporating text messages related to patient treatment into the medical record and then deleting the messages from the mobile device

“Text messaging is a very useful tool, and one that your patients may increasingly expect you to use,” Cepelewicz concluded. “If you choose to do so, (then) you must consider the various risks and take appropriate measures to address them.”