Practice Tips: Is ‘secure’ texting an oxymoron or a possibility?

A Meaningful Use requirement mandates that physicians must “use secure electronic messaging to communicate with patients” via certified EHR technology (CEHRT) with at least 5% of their unique patients. This requirement is referring to any kind of electronic communication, including e-mail, patient portals, and any other form of electronic means of communication. E-mail is convenient but usually not secure, and patient portals often require 2 or more levels of security and many are far from convenient even if secure. The simple fact is that patients under the age of 30 or 40 want to communicate with their doctors electronically with texting being the most commonly used and convenient.

However, electronic communication in health care must be secure and, like it or not, text messaging isn't. It does not comply with the Health Insurance Portability and Accountability Act (HIPAA) standards for security. There are many options on the market that claim to be secure, but there are several critical problems with many of them, not the least of which is the inability to verify the identity of the recipient. Another problem with these available methods is that they are incompatible with each other or, more important, with CERHT. Further, there are multiple competing apps, and it is not realistic for a practice to select an app and then require or even expect patients to install the same one.

All this doesn't mean that texting can't have some place in physician communication, but for including any individually identifiable health information, there are some important considerations. Consider the different viewpoints. One blog post at the New York Times suggests that texting is not secure for things that really need to be secure. Another article offered some good advice before using texting in a practice. For example, establish some clear policies regarding who can communicate what by text, what circumstances are and are not appropriate, and how text messages will be handled, if at all, in the context of patient care, including physician-to-physician communication.

Think of it this way: Is there any possibility that a text will end up in court because you were unable to include it as part of a patient's chart? If the answer is yes, then maybe it would be better to use a more secure means of communication, such as secure e-mail via a CEHRT portal or the good old-fashioned telephone. Until there is a generally agreed upon standard supported by multiple applications, “secure” texting is neither practical nor recommended in a health care context.

For more information about technical safeguards required by the HIPAA Security Rule, see the Security Risk Assessment Tool Kit. One section of the Tool Kit specifically addresses the security of mobile devices, as well as several related resources, including policy and procedure development and training videos.