More on Texting in Medicine and HIPAA

Join Our Mailing List

Clarifying the Confusion about HIPAA

Carol S. Miller

A Special ME-P Report

[By Carol S. Miller RN MBA PMP]

© iMBA Inc. All rights reserved. USA.

Texting is Ubiquitous

Text Messing (or SMS) Messaging has become nearly ubiquitous on mobile devices. According to one survey, approximately 72 percent of mobile phone users send text messages. Clinical care is not immune from the trend, and in fact physicians appear to be embracing texting on par with the general population. Another survey found that 73 percent of physicians text other physicians about work.

(Source:  Journal of AHIMA, “HIPAA Compliance for Clinician Texting”, by Adam Green, April 2012)

Texting can offer providers numerous advantages for clinical care. It may be the fastest and most efficient means of sending information in a given situation, especially with factors such as background noise, spotty wireless network coverage, lack of access to a desktop or laptop, and a flood of e-mails clogging inboxes. Further, texting is device neutral—it will work on personal or provider-supplied devices of all shapes and sizes. Because of these advantages, physicians may utilize texting to communicate clinical information, whether authorized to do so or not.

Risk Levels

All forms of communication involve some level of risk. Text messaging merely represents a different set of risks that, like other communication technologies, needs to be managed appropriately to ensure both privacy and security of the information exchanged.

Text messages may reside on a mobile device indefinitely, where the information can be exposed to unauthorized third parties due to theft, loss, or recycling of the device. Text messages often can be accessed without any level of authentication, meaning that anyone who has access to the mobile phone may have access to all text messages on the device without the need to enter a password.

Texts also are generally not subject to central monitoring by the IT department. Although text messages communicated wirelessly are usually encrypted by the carrier, interception and decryption of such messages can be done with inexpensive equipment and freely available software (although a substantial level of sophistication is needed.  If text messages are used to make decisions about patient care, then they may be subject to the rights of access and amendment. There is a risk of noncompliance with the privacy rule if the covered entity cannot provide patients with access to or amend such text messages.

According to 2012 data from CTIA–The Wireless Association, U.S. citizens alone exchange nearly 200 billion text messages every month. So it’s not surprising that an increasing number of clinicians are using text messaging to exchange clinical information, along with a wide range of other modes — smartphones, pagers, computerized physician order entry, emails, etc. Electronic communication is certainly faster, can be more efficient, enhances clinical collaboration and enables clinicians to focus on patient care. But with these benefits comes an increased risk of security breaches.

(Source:  Clarifying the Confusion about HIPAA – Compliant Texting, by Megan Hardiman and Terry Edwards, May 2013)




Hype over the Health Insurance Portability and Accountability Act

Unfortunately, vendor hype about the Health Insurance Portability and Accountability Act is causing many hospitals and health systems to implement stop-gap measures that address part — but not all — of a problem. To identify all vulnerabilities, health care leaders need to consider not only text messaging, but all mechanisms by which protected health information in electronic form is transmitted — as well as the security of those mechanisms.

Mobile device-to-mobile device SMS text messages are generally not secure because they lack encryption.  The sender does not know with certainty that his or her message is indeed received by the intended recipient.  In addition, telecommunications vendor/wireless carrier may store the text messages.  Recent HHS guidance indicates text messaging, as a means of communicating PHI, can be permissible under HIPAA depending in large part on the adequacy of the controls used.  A hospital or provider may be approved for texting after performing a risk analysis or implementing a third-party messaging solution that incorporates measures to establish a secure communication platform that will allow texting on approved mobile devices.

A study reported in Computer World in May 2013 by the Ponemon Institute with 577 healthcare and It professional in facilities that ranged from fewer than 100 beds to over 500 beds stated that fifty-one percent of the respondents felt HIPAA compliance requirements can be a barrier to providing effective patient care.  Specifically HIPAA reduces time available for patient care (85% of the respondents), makes access to electronic patient information difficult (79% of the respondents) and restricts the use of electronic mobile communications (56% of the respondents).

The study stated “respondents agreed that the deficient communications tools currently in use decrease productivity and limit the time doctors have to spend with patients. “ They also stated “they recognized the value of implementing smartphones, text messaging and other modern forms of communications, but cited overly restrictive security policies as a primary reason why these technologies were not used.”  Clinicians in the survey stated that only 45% of each workday is spent with patients; the remaining 55% is spent communicating and collaborating with other clinicians and using the electronic medical record and other clinical IT systems.

Several other statements:

  • Because of the need for security, hospitals and other healthcare organizations continue to use older, outdate technology such as pagers, email and facsimile machines. The use of older technology can also delay patient discharges – now taking an average of 102 minutes.
  • The Ponemon Institute estimated that the lengthy discharge process costs the U.S. hospital industry more than $3.189 billion a year in lost revenue, with another $5 billion lost through decrease doctor productivity and use of outdated technology. Secure text messaging could cut discharge time by 50 minutes.

(Source:  Computer World, “HIPAA rules, outdate tech cost U.S. hospitals $3.38 B a year”, by Lucas Mearian, May, 2013)





Several suggestions offered for these preferred mobile devises are:  1) ensure encryption and access to individuals who need to have access; 2) use secure texting applications; and 3) even consider alerting employees with warnings before they send an email or share files that lets them know they are liable for the information sent. 



Ms. Carol S. Miller has an extensive healthcare background in operations, business development and capture in both the public and private sector. Over the last 10 years she has provided management support to projects in the Department of Health and Human Services, Veterans Affairs, and Department of Defense medical programs. In most recent years, Carol has served as Vice President and Senior Account Executive for NCI Information Systems, Inc., Assistant Vice President at SAIC, and Program Manager at MITRE. She has led the successful capture of large IDIQ/GWAC programs, managed the operations of multiple government contracts, interacted with many government key executives, and increased the new account portfolios for each firm she supported. She earned her MBA from Marymount University; BS in Business from Saint Joseph’s College, and BS in Nursing from the University of Pittsburgh. She is a Certified PMI Project Management Professional (PMP) (PMI PMP) and a Certified HIPAA Professional (CHP), with Top Secret Security clearance issued by the DoD in 2006. Ms. Miller is also a HIMSS Fellow.


Your thoughts and comments on this ME-P are appreciated. Feel free to review our top-left column, and top-right sidebar materials, links, URLs and related websites, too. Then, subscribe to the ME-P. It is fast, free and secure.

Speaker: If you need a moderator or speaker for an upcoming event, Dr. David E. Marcinko; MBA – Publisher-in-Chief of the Medical Executive-Post – is available for seminar or speaking engagements. Contact:



  Risk Management, Liability Insurance, and Asset Protection Strategies for Doctors and Advisors: Best Practices from Leading Consultants and Certified Medical Planners™  Comprehensive Financial Planning Strategies for Doctors and Advisors: Best Practices from Leading Consultants and Certified Medical Planners™



One Response

  1. More on Texting

    Five [5] obstacles to texting patients.



Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: