Rules concerning the appropriate transmission of protected health information can be intimidating, even in the context of old-school methods of communication. But the rapid pace of technological development has further complicated the subject, with new forms of communication becoming increasingly unavoidable. How ought the practicing clinician balance the competing needs to adapt to new technologies while remaining vigilant about protecting health information? In the guest column that follows, Drs. Ganesh Kumar and Drolet offer concrete guidance applicable to text messaging, and we thank them for this timely contribution.
Hal S. Wortzel, MDLaw and Psychiatry Editor
Broadband technology and electronic media have changed the infrastructure of personal and professional communication. Text messaging (texting) is one of the most common formats for electronic communication, with >6 billion text messages transmitted every day in the United States alone. In health care, as in other fields, texting has been identified as a common communication format.1,2 However, electronic communication of protected health information (PHI) has raised concerns about breach of privacy and thus violations of the Health Insurance Portability and Accountability Act (HIPAA),3 which established standards for privacy and security of PHI.4 Under the Privacy and Security Rules, HIPAA limits how and what PHI can be shared and what standards must be in place to secure this information. Disclosure of PHI to an unintended party, called breach, can have significant financial penalties and legal implications, further defined by the Health Information Technology for Economic and Clinical Health Act (HITECH).5 Yet, despite significant regulatory detail, much confusion exists concerning the legal standards and restrictions set forth by HIPAA regarding the use of text messaging.
Despite concerns for security and privacy of PHI, text messaging seems to be used regularly in various professional medical fields. While the American Psychiatric Association provides guidelines on email communication that is HIPAA compliant, information related to HIPAA-compliant text-messaging is sparse.6 Given the legal implications of a HIPAA breach, particularly of highly sensitive psychiatric history or treatment, understanding the usage patterns of text messaging among psychiatrists to communicate PHI could help guide specific rules and clarify restrictions on what is permissible. To better understand how text messaging is being used in psychiatry, we surveyed members of the Association for Academic Psychiatry (AAP).
A survey to assess the texting habits of academic psychiatrists was developed by the authors and piloted among practicing physicians before finalization. The survey was subsequently shared with the President of the AAP for review and approval. Approval was also obtained from the Vanderbilt University Medical Center Institutional Review Board (IRB) before the survey was distributed. After permission was obtained from the President of the AAP, the survey was electronically distributed by the AAP administration via the AAP listserv. Participation was voluntary. The survey was distributed twice over the course of May and June, 2018 to maximize participation rates.
A total of 53 responses were received via active members on the AAP listserv (it is not known how many active AAP listserv members routinely used the listserv or accessed the surveys during the time period of the study). The majority of respondents were female (n=31, 59%), academic hospital psychiatrists (n=44, 83%), and clinicians who had been in practice for at least 17 years (range=3 to 40 y, mean=16.8 y, mean age=45.5 y). While 96% of psychiatrists stated their institution required HIPAA compliance training, only 63% felt confident in their knowledge on the subject (Fig. 1). Interestingly, 64% of psychiatrists reported that text messaging of PHI is prohibited by HIPAA yet more than half (53%) used text messaging to communicate PHI. More than half of respondents (54%) agreed or felt neutral about the statement that text messaging was their preferred means of communication at work.
DISCUSSION AND RECOMMENDATIONS
On the basis of the results of the survey, text messaging appears to be a popular means of communicating PHI among psychiatrists at academic hospitals. However, there is still a lack of clarity among psychiatrists regarding whether PHI may be transmitted by text messaging and what steps need to be taken to be HIPAA compliant. Currently, the US Department of Health & Human Services (HHS), which enforces HIPAA, does not limit the use of specific technologies (eg, email or text messaging) for the transmission of PHI.7 HHS follows the Security Rule standard of “reasonable” safeguards against breach, and is said to be “technology neutral” in requiring no specific level or type of encryption or security standards.
Nevertheless, various text-messaging platforms that advertise HIPAA compliance have been adopted by institutions around the United States. Among many of their features, these applications have higher levels of encryption, allow for remote deactivation, have time-limited messages, and even allow documentation in the medical record of communication, all so that they may ostensibly be called HIPAA-compliant. However, HIPAA is “technology neutral,” and therefore no specific features are required for compliance, and text messaging of PHI with such features is not explicitly prohibited by HIPAA.8
Instead, HIPAA places the onus of information security on health care providers (among the group of so-called covered entities) to maintain the privacy of PHI. Privacy and security must be a priority for every physician, regardless of what communication medium is used—–written, spoken, or otherwise. Best practices include limiting PHI in text messages, using strong passwords, and restricting access to devices that might disclose PHI. Given the convenience of text messaging to facilitate patient care, physicians should respect the recommendations and standards suggested by the HHS (Table 1).
The current recommendations for text messaging of PHI pertain to communications between physicians and health care providers. Generally speaking, however, when physicians communicate by text message with a patient, they should follow the same recommendations for the protection of PHI. If patients have acknowledged the potential risks of breach, and they prefer to use text messaging, then this should be considered acceptable practice. However, we suggest that this communication be relatively limited, as key pieces of information and emotional content may be missed in text messages. Ultimately, communication of PHI via text messaging, no matter whom the recipient, should be treated in a safe and secure manner, following the standards set forth by HHS.
Physicians should consider obtaining consent from their patients to discuss matters related to their care via text messaging, especially when that messaging might include sensitive psychiatric information. Until more specific standards for HIPAA compliance in text messaging and approved technologies are delineated, physicians should be cognizant of the steps they need to take to securely share PHI in providing patient care.
The authors would like to thank Dr Marcy Verduin, Dr Amin Azzam, and Lisa Hedrick from the Association for Academic Psychiatry for their assistance in survey approval and distribution among members of the Academy.
1. Drolet BC, Marwaha JS, Hyatt B, et al. Electronic communication of protected health information
: privacy, security, and HIPAA compliance. J Hand Surg Am. 2017;42:411–416.
2. McKnight R, Franko O. HIPAA compliance with mobile devices among ACGME programs. J Med Syst. 2016;40:129.
8. Drolet BC. Text messaging and protected health information
: what is permitted? JAMA. 2017;317:2369–2370.