Text messaging with patients: Steps physicians must take to avoid liability

May 23, 2014

As the number of people using text messaging steadily increases, many physicians similarly feel the urge to use text messages to communicate with their patients and colleagues. However, using text messaging in your practice can present legal issues that you may not have considered.

 

As the number of people using text messaging steadily increases, many physicians similarly feel the urge to use text messages to communicate with their patients and colleagues. Like others in the general population, physicians find text messaging to be even more convenient and efficient than emails. However, using text messaging in your practice can present legal issues that you may not have considered. 

In fact, many physicians who text message do not take into account that the information they send and receive should probably be included in their medical records, nor do they consider the possibility that the protected health information (PHI) in their text messages is not being accorded the necessary privacy and security protection.  Even among physicians who take appropriate measures to protect the privacy and security of their emails, many inexplicably treat their text messages differently, and to their potential detriment.

Include texts in the record

Any text message that involves the transmission of information that would be considered PHI, including information relating to the treatment of your patients, should be considered part of, and therefore incorporated into, your medical record.  Most physicians would readily agree that a letter from a patient describing a medical condition or correspondence from another treating physician offering treatment recommendations should be included in the medical record, and that a telephone conversation relating to a patient’s care should be memorialized in the record. 

Similarly, if your text messages include PHI, then you must ensure that you are compliant with all applicable laws that govern PHI, including the Health Insurance Portability and Accountability Act (HIPAA). That includes retaining the text messages for the legally required period of time; allowing your patients to access and amend the text messages; and entering into Business Associate Agreements with the appropriate vendors.  Thus, if you simply delete all your texts thinking that is the best form of protection, you might find yourself in violation of the law. 

Moreover, from a professional liability perspective, you would not want to put yourself in a position where a patient suing you for malpractice can make claims that hinge on various text messages between you and the patient, and you did not retain copies of those messages.

Next: Security risks and creating message policies

 

Security risks 

Text messaging has significant privacy and security risks. For example, if your device is stolen, lost or discarded, anyone can easily access the messages without having to use a password or some other form of authentication. When you send a text, you cannot be certain that the text is being read by the intended recipient and security is further limited because text messages are not encrypted. 

Not surprisingly, the Joint Commission opined that “it is not acceptable for physicians or licensed independent practitioners to text orders for patients to the hospital or other healthcare setting. This method provides no ability to verify the identity of the person sending the text and there is no way to keep the original message as validation of what is entered into the medical record.” (The Joint Commission; Standards FAQ Details; Record of Care, Treatment, and Services (CAMH/Hospitals); Texting Orders;
November 10, 2011.) 

While the Joint Commission’s comment is arguably limited to orders, it certainly highlights its concerns regarding using text messages. 

Creating message policies

So what are your options? The most obvious is simply to prohibit the use of text messaging in your practice. However, if that is not a realistic option, then you must determine where you are most vulnerable and create policies that will enable you to implement safeguards to reduce your liability exposure. 

The policies you create may require, among other things, that:

  • only certain non-urgent information may be included in your text messaging;

  • there must be verification of who received the message (i.e., an authentication process);

  • the text messages can be audited, monitored, and easily accessed;

  • devices used for text messaging are password protected and encrypted;

  • text messages that relate to patient treatment are incorporated into the medical record and then deleted from the mobile device;

  • text messages are retained or deleted pursuant to defined protocols;

  • devices are purged of all texts and emails prior to being discarded or exchanged;

  • devices are “registered” with the practice, and in the event the device is lost or stolen, the practice is immediately notified; and

  • the practice informs its patients about its text messaging practices and obtain their consent, or lack of consent, which should be included in each patient’s medical record. 

A patient’s consent may include the kinds of information the text messages will include; who will have access to the phone on the patient’s end; that once texts are reviewed by the patient they will be deleted; and that should the patient’s phone or phone number be changed, they will notify the practice in writing.

Text messaging is a very useful tool and one that your patients may increasingly expect you to use.  If you choose to do so, you must consider the various risks and take appropriate measures to address them.