The Revised Regulations for Texting PHI
The revised regulations for text messaging PHI acknowledge that changes in workplace practices and technological advances have led to more healthcare industry employees using mobile devices in the course of their work. Indeed, a survey carried out by the Health Research Institute revealed that 81 percent of doctors use mobile devices to communicate with their patients and access patient information.
The possibility exists that sensitive patient data could be compromised in the workplace or in places of public access due to individuals using public Wi-Fi or open cell phone networks, and there is also the risk of a security breach when a mobile device is sold, stolen or lost.
Consequently, the HIPAA guidelines for text messaging patient information say that texting PHI should only be done in the following circumstances:
- When organizations that store electronically-accessible protected health information have introduced a secure system to limit who has access to it and to control how it is communicated.
- When action can be taken remotely to prevent a breach of PHI if a mobile device is lost or stolen, and processes exist so that individuals can report the loss of their device immediately.
- When periodic risk assessments have been conducted to identify any threat to the integrity of the data and procedures have been established to address any breach that may occur.
- When data is encrypted so that individuals who use their personal mobile devices in the workplace can safely access data or transmit/receive protected health information securely. When a system exists to ensure that protected health information cannot be stored locally on mobile devices used by employees and sub-contractors.
Organizations, employees, and sub-contractors should be aware of the penalties that can be imposed by the Office of Civil Rights should there be a security breach when texting patient information, as well as the threat of legal action from patients whose protected health information has been compromised.