Warning: Texting Patients' Sensitive Information Could Have Serious Consequences

Tuesday, August 19, 2014
By Lance O. Leider, J.D., The Health Law Firm

I regularly lecture to residents and interns of local hospital residency programs. I like to discuss life skills for health care professionals that they may not learn in a classroom. At the end of the discussion, it never fails that I get at least one question regarding text messaging. For example, "Can I text another doctor about a patient?" or "Is text messaging an acceptable way to communicate with my patients?"

These questions are not uncommon since almost everyone texts. It is an easy and convenient way of communicating. However text messaging within your practice can present legal issues that you may not have considered.  

Real-Life Text Message Breach.

According to Information Week, a physician treating a nursing home patient at a skilled nursing facility asked a nurse to text his patient's lab results to him. The nurse complied. And even though only the two medical professionals saw and read the message, the facility ended up facing consequences for using an unsecure messaging medium.

The Centers for Medicare and Medicaid Services (CMS) gave the skilled nursing facility an "e-level deficiency." This means there was no actual harm but potential for more than minimal harm. As a result, CMS imposed a 10-point Directed Plan of Correction (DPOC) to be implemented. The skilled nursing facility was required to:

-     Revise Health Insurance Portability and Accountability Act (HIPAA) policies and procedures;
-    Hire an external contractor to educate employees, physicians and the governing body during "on-site, in-person, face-to-face" training;
-    Designate a HIPAA compliance officer for the facility;
-    Determine how to address any loss of personal health information (PHI); and
-    Send a letter to all residents and families notifying them of the alleged HIPAA violation and the steps the facility is taking to fix and prevent new occurrences.

This incident is a stern reminder to health care professionals and providers that the government is cracking down on HIPAA violations and the risks associated with unsecured communications.

To read more from Information Week, click here.

What the HIPAA Rules Say on Texting.

Text messaging is not the recommended form of communication when discussing sensitive electronic PHI (e-PHI) information. If your mobile device is stolen, lost or discarded, anyone can easily access the messages. Also, when you send a text message you cannot be certain that the text is being read by the intended recipient. Security is further limited because the messages are not encrypted.

That being said, the HIPAA security rule allows health care providers to communicate electronically. However, there are safeguards covered entities must comply with to protect individuals' e-PHI. These include:

1.    Ensuring the confidentially, integrity and availability of the information;
2.    Protecting against any reasonably anticipated threats or risks to the security or integrity of the information; and
3.    Protecting against unauthorized uses or disclosures of the information.

The standards specifically require a covered entity to address implementing security measures to guard against unauthorized access to patients' e-PHI that is being transmitted over an electronic network. These standards also add that specifications to implement transmission security include both integrity controls and encryption.

Tips for Text Message Policies.

Prohibiting texting in a health care facility is not realistic. You can, however, implement safeguards to reduce your liability, some of these include:

-    Risk assessments - Conduct periodic checks of your personal mobile devices and have employees do the same to ensure no e-PHI is stored on the device.
-    Missing device policies - Implement a plan of action for when a mobile device is lost or stolen.
-    e-PHI procedures - Have a policy regarding retention or destruction of electronic communication.
-    Training - Educate staff on why protecting e-PHI is important.

Some technical safeguards that can be put in place include:

-    Encryption - Many mobile devices can be encryption-enabled. Using encryption may insulate an entity from HIPAA fines.
-    Auto-lock - Turn on an auto-lock screen on a mobile device to appear after a brief amount of time.
-    Enable Wi-Fi network security - Mobile devices that use public Wi-Fi or unsecured networks to send and receive information risk exposing e-PHI.
-    Passwords - Create a complex password on the device.
-    Storage - Only store e-PHI on these devices when necessary and delete the files as soon as possible.  

Text messaging is a useful tool, and one that your patients may come to expect you to use. If you choose to text, consider the risks and take measures to address those risks.


As a health care professional, do you text patients or colleagues? If so, what text messaging policies and procedures do you have in place? Please leave any thoughtful comments below.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other health care providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).
For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at www.TheHealthLawFirm.com or call (407) 331-6620 or (850) 439-1001.


Diana, Alison. "Insecure Communications Costly For Hospitals." Information Week. (July 28, 2014). From: http://www.informationweek.com/healthcare/security-and-privacy/insecure-communications-costly-for-hospitals/d/d-id/1297602

Whitehead, R.N., J.D, Ann. "Texting Patient Information: Risks and Strategies for Physicians." Physicians Practice. (December 2, 2013). From: http://www.physicianspractice.com/blog/texting-patient-information-risks-and-strategies-physicians

Cepelewicz, M.D., J.D., Barry. "Text Messaging with Patients: Steps Physicians Must Take to Avoid Liability." Medical Economics. (May 23, 2014). From: http://medicaleconomics.modernmedicine.com/medical-economics/news/text-messaging-patients-steps-physicians-must-take-avoid-liability?page=full

About the Author: Lance O. Leider is an attorney with The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com  The Health Law Firm, 1101 Douglas Avenue, Altamonte Springs, Florida 32714, Phone:  (407) 331-6620.

Tag Words: Health Insurance Portability and Accountability Act, HIPAA, protected health information, PHI, electronic protected health information, e-PHI, texting, text messaging, medical records, texting patient information, insecure text message, secure communications systems, HIPAA-compliant text messaging, HIPAA compliance, patient privacy, patient rights, HIPAA compliance audit, defense attorney, defense lawyer, HIPAA attorney, HIPAA lawyer, compliance plans, The Health Law Firm

"The Health Law Firm" is a registered fictitious business name of George F. Indest III, P.A. - The Health Law Firm, a Florida professional service corporation, since 1999.
Copyright © 1996-2014 The Health Law Firm. All rights reserved.

Like this blog? Add your public comments:

Items in bold indicate required information.