Medical Economics has a very interesting and thought provoking article on sending patients text messages. The article is definitely worth reading in its entirety.
Here are a few highlights:
Any text message that involves the transmission of information that would be considered PHI, including information relating to the treatment of your patients, should be considered part of, and therefore incorporated into, your medical record. Most physicians would readily agree that a letter from a patient describing a medical condition or correspondence from another treating physician offering treatment recommendations should be included in the medical record, and that a telephone conversation relating to a patient’s care should be memorialized in the record.
Similarly, if your text messages include PHI, then you must ensure that you are compliant with all applicable laws that govern PHI, including the Health Insurance Portability and Accountability Act (HIPAA). That includes retaining the text messages for the legally required period of time; allowing your patients to access and amend the text messages; and entering into Business Associate Agreements with the appropriate vendors. Thus, if you simply delete all your texts thinking that is the best form of protection, you might find yourself in violation of the law.
Not surprisingly, the Joint Commission opined that “it is not acceptable for physicians or licensed independent practitioners to text orders for patients to the hospital or other healthcare setting. This method provides no ability to verify the identity of the person sending the text and there is no way to keep the original message as validation of what is entered into the medical record.” (The Joint Commission; Standards FAQ Details; Record of Care, Treatment, and Services (CAMH/Hospitals); Texting Orders;
November 10, 2011.)
The article goes on to discuss the importance of creating policies and procedures around the use of text messages.
Mobile devices will continue to be a security risk to patient information. Organizations need to take a hard look at how mobile devices and patient information is protected on these devices.