Refrain from Texting about Your Patients
Can I text my partners patient information?
–Stephen Henry, San Luis Obispo, Calif.
Dr. Hospitalist responds:
Can you? Sure. Do you? Probably. Should you? No.
Texting any patient information falls under the category of ePHI (Electronic Protected Health Information) as part of HIPAA. Technically, such patient-specific information must be protected at all times. Once you send a text, at least three copies are known to exist: one on each of the devices, plus one copy on the network it went through, adding for each network it has to cross. Sure, your phone may be password-protected, but is your partner’s? What about the carrier? How protected is their data?
HIPAA goes into excruciating technical detail about all the safeguards that must be present. You are more than welcome to read it (www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule) to see if you meet all the standards. Or you can take my word for it: You don’t.
So you can see why most health organizations expressly prohibit the texting of patient information. If you rang up your local health-care or hospital lawyer, I’m sure they would tell you to never text patient information. Is that reasonable advice? In 2013, I doubt it.
So what’s the practical advice to follow? For starters, password-protect your phone, if you haven’t already. Nothing worse than losing your phone and having patient information on it. A lot of the OCR (Office for Civil Rights, a branch of Health and Human Services) fines for HIPAA violations stem from folks misplacing unencrypted devices with patient information on them.
Just as important, don’t text anything that you wouldn’t want to see blown up on a lawyer’s display board in court. I’ve seen some really egregious examples of communication between doctors that have no business being preserved electronically. Texting “Mr. X in Room 2101 is a meth-using, narcotic-seeking, half-naked, lunatic troll” is an absolutely stupid thing to do. For that matter, so are remarks that seem less offensive: “And his son is completely unreasonable.” Save your commentary and stick to the facts, because you just generated three copies forever.
If you receive an insensitive text, don’t reply. Simply call the sending physician to discuss any issues. Even being on a “secure” texting network won’t protect you from errors of commission.
If I were to text about a patient (purely hypothetically, mind you), I would limit the information as much as possible. Keep it simple and generic (what HIPAA likes to call “de-identified information”)—for example, “Room 428 is ready for discharge.”
Please, hold the subjective commentary. There is no good reason to have an extended text exchange about a patient; you are creating an electronic trail that has no good reason to exist and never really goes away. It’s just the same as writing in the chart, except that it has the illusion of privacy. And that’s all it is: an illusion.
At the end of the day, I’d probably worry more about the discoverable aspect of your text messages in a lawsuit than the possibility of a HIPAA fine, but neither one sounds like much fun to me.