When the HIPAA Security Rules were promulgated over a decade ago, one of its most controversial tenets was a prohibition on texting patients any Protected Health Information (PHI)unless a HIPAA-compliant encryption system was utilized.
If a physician does not use an encryption system, the doctor may only send PHI if, and only if, safeguards are enacted to ensure the identity of the patient, the patient is made aware of the risk, and the patient provides an explicit consent to receive the PHI. The physician must also ensure that audit controls are in place to record when the message is sent and received, and to ensure the integrity and security of the PHI transmission. Such communications also are part of the medical record, meaning that texters should have a way of memorializing such interchanges in the record. It is for these reasons that doctors are urged to use secured patient portals or encryption software when sending PHI to their patients.
Members are reminded that the penalties for HIPAA breaches can be severe. Not only does the Office of Civil Rights have the authority to impose fines of up to $69,000 per day, but violations also can subject physicians to license discipline at the state level, as well a possible lawsuits from the impacted patients.
Those having questions may contact Society legal counsel Chris Nuland at [email protected] for further information.