HIPAA Compliance
for Clinician Texting
The HIPAA privacy
and security rules
need not act as an
obstacle to efficient
communications, but
keeping texting compliant
requires planning and diligence.
By Adam H. Greene
+
TEXT (OR SMS) MESSAGING has become nearly ubiquitous on
mobile devices. According to one survey, approximately 72 percent of mobile phone users send text messages. 1 Clinical care is
not immune from the trend, and in fact physicians appear to be
embracing texting on par with the general population. Another
survey found that 73 percent of physicians text other physicians
about work. 2
Texting can offer providers numerous advantages for clinical
care. It may be the fastest and most efficient means of sending
information in a given situation, especially with factors such as
background noise, spotty wireless network coverage, lack of access to a desktop or laptop, and a flood of e-mails clogging in-boxes.
Further, texting is device neutral—it will work on personal or
provider-supplied devices of all shapes and sizes. Because of
these advantages, physicians may utilize texting to communicate clinical information, whether authorized to do so or not.
It is essential for healthcare providers to understand the communication needs of their workforce in order to appropriately
address any privacy and security risks they may pose. As many
providers have discovered, trying to control how your workforce
communicates is easier said than done, and policies that fail to
account for clinicians’ communication preferences often go unheeded.
This article addresses texting between clinician members of
the workforce and discusses how to ensure safer texting practices as part of your organization’s privacy and security compliance program.
The Risks of Text Messaging
All forms of communication involve some level of risk. Text
messaging merely represents a different set of risks that, like
other communication technologies, needs to be managed appropriately to ensure both privacy and security of the information exchanged.
Text messages may reside on a mobile device indefinitely,
where the information can be exposed to unauthorized third
parties due to theft, loss, or recycling of the device. Text messages often can be accessed without any level of authentication,
meaning that anyone who has access to the mobile phone may
