HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Pediatricians Risking HIPAA Violations Sending SMS Messages

The pager has served doctors and medical professionals well since the 1940s and an estimated 90% of hospitals are still using the devices for communication between members of the care team. However an increasing number of medical professionals are turning to Smartphones to communicate, according to a recent survey conducted by the University of Kansas School of Medicine in Wichita. The data even suggests that phone text messaging is about to take over as the primary mode of communication in U.S hospitals.

Smartphones allow doctors to communicate quickly with other members of the healthcare team, but while modern mobile devices offer convenience, the use of SMS in hospitals could result in HIPAA Privacy and Security Rule violations. Text messages are not secure, and any unencrypted PHI sent via the SMS network could potentially be read by any number of people.

Uptake of Smartphones has not been quick in healthcare due to the cost of purchasing the units and making them secure. However, since the majority of medical professionals have a personal phone, Bring Your Own Device (BOYD) schemes can be a cost effective way of taking advantage of the convenience that modern technology offers without healthcare providers having to cover such a high cost.

The recent University of Kansas survey asked 106 physicians from pediatric hospitals around the country about use of Smartphones privately and while at work. 27% of respondents said that their preferred method of communication for short messages was SMS, 21% preferred face to face conversations and 23% preferred pagers.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

In a press release, the lead investigator, Dr. Stephanie Kuhlmann said “We are using text messaging more and more to communicate with other physicians, residents and even to transfer a patient to a different unit.” Kuhlmann, who does not use a pager, says “Personally, I probably get 50 to 100 text messages during a shift.”

90% of respondents claimed to use a Smartphone privately and 96% sent text messages to personal contacts. Half of the respondents claimed to have received work-related messages when they were not at work, 5% received more than 20 messages a day and 12% were receiving at least 10 messages per shift.

Alarmingly, 57% of respondents said that they had either sent or received work-related SMS messages, while only 10% employed a text encryption service. 27% of respondents admitted they had previously been sent PHI over the SMS network.

While the survey suggests that SMS messages are being used more in healthcare, it should be borne in mind that the survey did have an age bias. 62% of respondents had been in practice for less than 10 years, with this group being the most likely to use Smartphones. 68% of the respondents were female giving the survey a significant sex bias.

Even with the biases in the sample, the findings paint a worrying picture. If steps are not taken by healthcare providers to implement the appropriate privacy and security controls, they could end up facing substantial fines for HIPAA violations from the OCR and Attorney Generals’ offices if PHI is sent over an unencrypted network.

Mobiles may be convenient, but without text encryption services the SMS network does not provide the necessary controls demanded by HIPAA. Smartphones and other mobile devices may be the future, but unless action is taken to make them secure, healthcare providers run the risk of exposing PHI. Fortunately, there are a number of easily to implement technologies that can allow SMS messages to be sent securely; only requiring a healthcare messaging app to be downloaded onto Smartphones.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.