Text messaging and app security in telehealth?
Licensed behavioral health practitioners must be mindful about HIPAA while interacting with or discussing identifiable clients/patients through texting. These risk management procedures related to texting may prove helpful:
- If you have billed electronically as a healthcare practitioner, you are a “covered entity” in the eyes of HIPAA. You, therefore, are legally responsible to follow all the rules set by HIPAA when treating citizens of the U.S. through texting as well as any other digital means. If you are in a different country, your country is likely to have its own privacy and/or security laws. Be knowledgeable of and in compliance with all such laws.
- When delivering healthcare through the technology of any type, consider your legal and ethical requirements related to informed consent. Have a detailed discussion about privacy and security issues related to texting during your informed consent process. Review your informed consent document to make sure that your practices are adequately described and all cautions are carefully listed.
- Consider investigating the practices of your texting service. Here are a few precautions to take and specific software packages to consider installing on your smartphone if you choose to use such devices in your work:
- Be leery of text messages, system messages, or other events on your phone that you didn’t expect or initiate. Do not respond.
- Do not leave your device in a public area where it can be stolen. Running to the restroom in a cafe when leaving your phone on the table top while you quickly run to the restroom in a cafe is an invitation for a passerby to take your device, along with all your client names, phone numbers, and text messages.
- If a security breach occurs, remember your obligations under federal law.1 In the United States, you must contact all parties involved in writing.2
- Install an additional firewall a program to detect malware, spam, and message blocking on your smartphone. These can be part of a text messaging package that you purchase for your mobile phone, tablet, laptop or desktop if these technologies are used to access text messages.
- Realize that even when you delete a message from your texting program, it may still reside on the SIM card or in the circuitry of the device.3
- If ever your records for any particular client/patient are subpoenaed, any device used for texting with that client may be confiscated by the court. If it contains texts of others in your practice or your personal life, those records then will be visible to the court.
- Some professionals using mobile devices for communication with patients purchase dedicated devices and lock them in a file cabinet when not in use, because, in essence, they contain patient-related information. State law often contains regulations that require clinicians to store patient files in locked cabinets when not in use. How far you want to carry these precautions is a discussion for you to have with your telehealth-knowledgeable attorney.
- At the very least, the electronic exchange any information that can compromise patient privacy should be encrypted by HIPAA-complaint software for storage on any device.
If you accept text messages or smartphone, iPad, or other website information containing patient identifiable information on your mobile device, the following steps are even more specific safeguards you can implement. These are particularly relevant to handling text messages securely so that they can be printed or saved for clinical records:
- Use a service such as Mobile Spy4 to record text messages from Windows Mobile and Symbian OS smartphones.
- Tell patients that text messages can be forwarded to the therapist’s email address via applications, which may be used on IOS and Android devices.
- Some smartphones, like iPhones or Android-based systems such as Samsung, allow the owner to buy applications that can take “screenshot” (pictures) of their text messages. The screenshot can then easily be sent to an email address as an attachment to be archived.
As we mentioned above, consider your own practices, as well as those of your texting service. If they send texts to you in any media that is not secure (such as your free Gmail or Yahoo account), the service is not secure, regardless of their claims. To be secure, every exchange with you must be in a closed, secure environment.
1 See TBHI’s training program entitled, Legal/Ethical Issues I: Rules, Regulations & Risk Management.
2 If you use your phone to store contact information, do you have a printed list of all your patient names, numbers and street addresses?
3 Giving your device to a friend or family can be problematic if you have not secured your patient exchanges in a private and secure software package on that device.
4 See TBHI Buyer’s Guide for more options.
Therapists are finding that clients are increasingly asking for text messaging in therapy. TBHI’s online training event entitled, “Text Messaging Therapy? 12 Risk Management Considerations to Keep You Out of Hot Water” will review basic risk management approaches to using text messaging as the basis for clinical care. It will outline 12 ways in which text therapy may expose you and your client or patient to undue risk including HIPAA-compliant text messaging, types of text messaging services, and ethical codes that relate to text messaging. It will also clarify considerations for accepting employment from online text therapy companies.
Recommended Text Messaging Therapy Article:
- Text Messaging Therapy in Telehealth
- Texting in Behavioral Health as Professionals
- Address Problems with Texting in Telehealth