Texting is Not HIPAA Secure

I previously posted the somewhat controversial post: Email is Not HIPAA Secure. It was an extremely important post and included 54 incredible comments discussing email security and email in how it relates to HIPAA. Today I want to discuss the security issues related to text (SMS) messages.

The short story is: Texting (SMS) is NOT HIPAA Secure

I recently did a focus group to discuss physician communication. At one point I asked how many of them use text messages to communicate with other doctors. All of them acknowledged that they used it and that they were using it more and more. I then asked how many sent PHI (protected health information) in the text messages that they sent. While the response wasn’t as strong likely because they knew it was a loaded question, they all acknowledged that PHI was sent by text message all of the time.

One doctor even commented, “They’re not going to put us all in jail.”

There is some validity to this comment. They’re not going to go around like an old school lynch mob putting physicians in jail because they sent some patient information in a text message. Although, that doesn’t mean that they couldn’t go around handing out hefty fines for HIPAA violations.

Let me be clear that there are secure text message platforms out there. I’ve actually been thinking about this quite a bit lately since I’ve been advising a local Vegas Tech iPhone app called docBeat that offers this secure text message functionality for free. In fact, there are quite a few companies that are trying to provide this functionality. Although, I like docBeat because it offers a whole suite of Physician Communication Tools and not just secure text messaging. I think there’s value in a doctor only to have to go to one place for all their communication needs. In a future post, I’ll do a full write up on what docBeat’s offering physicians.

At some point, I think doctors are going to turn the corner and realize that the standard SMS text messaging service that every cell phone has these days is not the right way to communicate. Besides the fact that standard text messaging isn’t secured, it’s also stored forever on the server of your cell phone service provider. Most doctors likely haven’t thought that everything they’ve sent over text could be brought back to haunt them forever.

Other problems with standard text messaging is that you don’t really know what happens with the text message once its sent. Did the text message actually send? Did the person you sent the text message actually receive it? If they received the text message have they read it?

The great thing is that we all finally have realized the value of simple communication with a text message. Now we just need to move to these new secure text messaging platforms that solve the security, reliability and tracking issues with standard text messaging.

About the author

John Lynn

John Lynn is the Founder of HealthcareScene.com, a network of leading Healthcare IT resources. The flagship blog, Healthcare IT Today, contains over 13,000 articles with over half of the articles written by John. These EMR and Healthcare IT related articles have been viewed over 20 million times.

John manages Healthcare IT Central, the leading career Health IT job board. He also organizes the first of its kind conference and community focused on healthcare marketing, Healthcare and IT Marketing Conference, and a healthcare IT conference, EXPO.health, focused on practical healthcare IT innovation. John is an advisor to multiple healthcare IT companies. John is highly involved in social media, and in addition to his blogs can be found on Twitter: @techguy.

24 Comments

  • “they’re not going to put us all in jail” is the overall HIPAA mentality I come across.

    Quite frankly, HIPAA is like TAXES.

    Next blog post:
    Facebook is not secure
    Twitter is not secure

  • I like those ideas for future blog posts. Interesting thing is that most doctors would shun the idea of patient information on Facebook and Twitter, but they’re comfortable just doing it over text message.

  • Our answering service routinely sends all messages to all of the physicians they service, via text messaging. It includes name, age, phone number and problem.

  • Dan,
    I’ve heard this from others as well. Thanks for pointing it out. This could become a major problem for the physicians and the answering services that do this instead of employing a secure text message service.

    The nice thing is that some of these secure text message services are providing hybrid interfaces (mobile and web). That way the physician can use it on their mobile while the answering service can send the secure text from a web interface.

  • A recent article I read stated that 40% of data breaches result from use of gadgets. Why don’t healthcare institutions restrict their use, or require all of them to be encrypted as a safeguard? If it’s in the hospital etc., we should just assume the device is used for exchange of PHI. In my experience, use rules have been easily enforced among lower-level employees. Hopefully, the courage administration needs to confront physicians on their device use will not be impossible to muster.

  • Brenna,
    Another example of how most texting applications aren’t HIPAA compliant. They don’t use 2 factor authentication to access the text messages. There’s the lock on the phone itself which most employ, but they need a second one or they have the issues you describe.

  • All great comments. As usual, the problem boils down to a choice between efficiency VERSUS security instead of enabling efficiency PLUS security. As an emergency physician, I have seen how texting can provide that efficient, split-second, bidirectional information exchange that benefits patients. Whether it is sending an image of an EKG to a cardiologist at 2 am to collaborate on whether to open up the cath lab, or sending a picture of a necrotizing fasciitis to the on-call surgeon so they can prepare the OR team, it is not an exaggeration to say that texting can be potentially life-saving. Doctors respect security concerns, but when forced to choose, good patient care always comes first, and even patients and their families will throw security to the side if it will help their prognosis.

    That said, I couldn’t agree with you more. There is a huge need (and demand) for HIPAA-compliant texting. A recent Spyglass report demonstrated that 96% of physicians own Smartphones and 84% use texting to communicate in their personal and/or professional lives. I see this at work in the hospital every day. And I hear about it all the time while wearing my hat as CMO of Imprivata as well. As a healthcare security company with over 1,000 hospitals internationally, we were so impressed by our customers’ demands for a HIPAA-compliant solution that we created a secure healthcare texting platform called Cortext; designed by doctors, for doctors, and in conjunction with hospital IT executives.

    We are working with over 30 hospital design partners to create a locked-down secure, highly functional and usable platform. Only by engaging hospital IT and end-users simultaneously can a system achieve full potential and adoption. Doctors will do the right thing from a security standpoint… if (and only if) it also makes the most sense for patient care. Our system is endorsed by end-users as well as hospital IT. Efficiency PLUS security; the keys to success. I look forward to rolling out Cortext and getting feedback on how useful it is (and using it myself!)

  • * So if the txt messages with docBeat are HIPAA-Compliant; who is storing all the encrypted txts & where and what business entity is the sign-on for the Business Associate Agreement?
    * Would these txts still be secure if sent to say, a patient; someone NOT on the docBeat platform/app?
    * Just need to know…Thanks DAS

  • Dr. Kelly,
    That’s a pretty interesting move by Imprivata. I think most doctors would love to know that they can securely send text messages. You describe well the balance that doctors are trying to find between good patient care and privacy concerns.

    I’ll be interested to see Imprivata’s secure text solution. My big question is whether a secure text only solution will be the right approach. That’s why I’ve liked what docBeat has done in providing an entire clinical messaging platform that includes voice, text, and eventually other means of physician communication.

    Deb Sherl,
    docBeat is storing the texts on a HIPAA compliant server and all the texts are sent over a secure, encrypted connection. I believe that PRANA Technology, Inc is the company behind docBeat, and they shouldn’t have any problem signing a business associate agreement if you contact them: http://www.docbeatapp.com/contactus/ I think it will be important for any secure text message provider to be able to do so, especially with the larger organizations.

    The texts would only be secure between those on the docBeat platform/app. Currently, docBeat is a provider to provider network, but they’re considering options on how to connect doctors with patients in a secure way down the road as well.

  • We just had this discussion at a supervisors meeting today. I work in home care/hospice and it would be nice for the clincians to be able to text information back to the office as they do not have the ability to email or send notes in the patient record until they are at home or back in the office. The same goes for our wound nurses and having the ability to safely take pictures from their phones and send it to wound consultant instanteously versus waiting until they can get a wound camera and bring it back to email it over a secure network.
    As we become more technology advanced, the question that will keep coming up is “why can’t we?”

  • Karen,
    Those are all good examples of why text messaging in healthcare is going to happen and it’s going to be common place. Although, in order to comply with HIPAA you’re going to need to use some secure text message application like docBeat mentioned in the post.

    The good part of using a secure text message application is that you’ll be able to do a lot more than you can do with your normal text message apps. For example, you’ll be able to track the text and see if and when it was read which is essential in healthcare.

    The other cool thing is these messages will be available on the mobile and also through any web browser. So, your onsite staff could communicate with a mobile doctor through their regular web browser.

    Plus, I think we’re just at the start of what will be possible with this communication.

  • Great discussion. As Dr. Kelly from Imprivata mentioned above, the decision is really a choice between efficiency and security. I would probably swap out the word convenience for efficiency because most of the HIPAA compliant messaging platforms (including, qliqSoft, TigerText, DocBookMD, Mobile Storm, Imprivata,, and docBeat) are arguably as efficient as plain-old SMS. They are not, however, as convenient as SMS because they require all parties to be using the vendor’s platform.

    Until the risk (and associated cost) of an SMS-based breach outweighs the convenience of SMS, HIPAA compliant secure messaging will likely remain the domain of enterprise compliance officers.

    To the credit of all vendors in this space, they are not sitting idly by waiting for HIPAA and HITECH enforcement to drive the market. These vendors are also working hard to make their solutions more convenient and more capable.

    On the convenience scale, secure messaging solutions must simplify the process by which end-user networks are established. In other words, they should be inclusive and they should be easy to scale. In my opinion, secure messaging solutions that are limited to physicians, for example, offer minimal value to end-users. Everyone in the organization should have a voice and an opportunity to participate in the conversation. This also means that solutions must support both smartphone and desktop clients.

    In terms of capability, secure messaging solutions have far more potential than SMS. Most vendors offer enhanced features that are beneficial specifically to the healthcare industry. But as John mentioned in his last comment, we are just at the beginning of what’s possible. Text messaging is truly the tip of the iceberg. Unsustainable HIE infrastructure… you might want to watch your back.

  • John,

    I think it depends on the kind of mobile secure messaging solution we are talking about. I think there are a number of solutions in the market right now – and no doubt numerous others in progress – that are specifically designed to provide a secure alternative to traditional SMS texting.

    I believe this is a very limited approach to a far bigger problem. Without spouting off the numerous studies and research detailing how poor communication has plagued healthcare, probably since the beginning of time, I will simply say that SMS is just the latest in a slew of challenges/opportunities in the area of communication.

    Taking a broader view, secure communication solutions should not be limited to single modalities (i.e., asynchronous messaging, voice, data, teleconferencing, email, etc…) or single devices (i.e., smartphones, tablets, desktop computers, VoIP handsets, etc…). Ideally, the infrastructure should act as an overlay to existing technologies and investments, like HIS, EMR, VoIP/PBX, etc…, and should be capable of securely moving both structured and unstructured data. If you view secure communications in such a way, you can quickly see how the lines blur with HIE.

    So, again, the answer depends. A solution that supports secure messaging to mobile devices, I would say not necessarily. A comprehensive secure communication solution that succeeds in deploying lightweight infrastructure across disparate organizations and technologies, I would say heck yeah.

Click here to post a comment
   

Categories