When patients want to text: HIPAA, OMG! See you L8R, privacy?

You are wrapping up an exam with a longtime patient who has presented with a moderate-to-severe case of dermatitis on her hands. You have prescribed a topical medication and instructed her on how and when to apply it.

As you are about to leave the exam room, your patient makes this request of you: “I am going out of town next week on business, but I would like to send you a picture of my hands after I’ve used the cream for a number of days. May I have your cellphone number so that I can text you some pictures to look at my hands?”

How, as a physician, do you respond? The AMA has guidelines regarding patient-physician email exchangesprivacy and confidentiality, and the confidentiality of computerized records. At its Annual Meeting in Chicago this June the AMA House of Delegates will consider a Board of Trustees (BOT) report that would expand the advice on email communication with patients to include text-based messaging. The forthcoming guidance could help physicians determine:

  • Whether it is appropriate to reply to your patient’s query through text-based communications.
  • How, once you have deemed it appropriate, to send a text to the patient that meets various transmission criteria.

The AMA guidelines for emailing patients—and the guidelines put forth on texting—emanate from a clear understanding that this is a brave, new world in which physicians and other professionals are managing confidential and often sensitive information. Patients frequently want to receive relevant details in the speediest and tersest ways possible: namely, emails and texts.

It turns out that many physicians favor the same modes of communication. A 2013 study published in the Journal of Surgical Education indicated that most surgical residents preferred communicating with each other about patient-care matters through texts.

Nothing can replace the face-to-face meeting between a physician and patient in a clinical setting. That encounter is, at its core, the foundation of the patient-physician relationship, built on personal knowledge, trust and dialogue that begin with one-on-one conversations.

But recognizing that new technology has irrevocably changed the way we communicate—and that it will continue to influence how we “talk” to each other and to patients—there are some basic standards of engagement to keep in mind.

First comes the complicated question of how HIPAA is implicated when texting with patients.. According to the AMA’s forthcoming BOT report, physicians and other health professionals should talk with their legal counsel and information technology experts to understand their obligations under the HIPAA Security Rule. Generally speaking, federal law requires physicians and other entities covered by HIPAA to conduct a risk assessment to determine how the privacy and security of protected health information (PHI) could be compromised when it is communicated electronically, dubbed e-PHI.

The AMA Education Center features a module, “The Nuts and Bolts of Achieving HIPAA Security Rule Compliance through Effective Risk Assessment,” that can help you better understand and comply with this area of federal law.

The Department of Health and Human Services also has offered specific advice to physicians and other health professionals on how to follow privacy and security standards while using mobile phones for patient-care purposes.

Physicians should also note that policies for texting may differ when communicating with patients vs. communicating with colleagues. For instance, if a patient initiates a text exchange, current HIPAA guidance notes that this may provide consent to communicate in this manner. Before engaging in text communications with patients, physicians may wish to obtain written consent from them acknowledging any risks associated with the transmission of such messages, such as possible disclosure to third parties for whom the messages were not intended.

So, what should you do after your patient with dermatitis has signed a consent form and texted you pictures of her hands? If you have agreed to reply to her with a text message, keep these points in mind.

Remind patients that there are privacy issues involved. There is—and will always be—a question as to the level of encryption of electronic messaging. You and your patients may both believe that your texts are secure, but there is never an absolute certainty of such protection, as recent cases of hacking remind us. In addition, if others have access to your patient’s cellphone, privacy can never be guaranteed.

Establish a clear understanding of time frames for communications. Patients who text you want prompt responses—that is why they are communicating with you in this manner. But should patients text you at all hours of the day or night, or on weekends, you will need to establish boundaries—and adhere to them. Let patients know in advance reasonable time frames for responses.

Maintain a cordial yet businesslike tone in your exchanges. Refrain from making jokes in your texts. Do not send any emoticons and do not convey any sense of anger, frustration or sarcasm in your messages. Do not use shorthand or abbreviations. Clarity is key. Always end your texts with your full name and your business affiliation, whether it be a hospital, clinic or other organization, and request that your patient text you back to acknowledge receipt of your message.

Refrain from using patients’ identifying information. Such information would include the patient’s full name, date of birth and Social Security number.

Proof your texts carefully before sending to ensure accuracy. When doing so, be highly attuned to autocorrect functions that may change an intended word—say, “abrasion”—to one that could possibly be misconstrued and taken as offensive, such as “abrasive.”

Set texting limits. If patients text you questions requiring detailed explanations, or if they continues to engage you in prolonged back-and-forth texting, do not answer in kind. Advise them to call your office to schedule an in-person appointment or phone meeting.

Keep text records. When possible, retain and archive all text communications with patients so that they can be retrieved, if needed.