In the medical world of 2018 where smartphones and technology interact daily with health care and private patient records, doctors today regularly find themselves communicating via text message with fellow staff and hospital employees. Almost all doctors and hospitals are required to use third-party HIPAA compliant text messaging apps in order to ensure that the Protected Health Information(PHI) they are communicating is secure and confidential. Some of the popular HIPAA compliant apps in the marketplace today include Tiger Connect, Doc Halo, Imprivata, and OhMD.
Doctors and nurses are increasingly finding that text messaging is a quick and easy form of communication while they are on their shift or making rounds in the hospital. Messaging is also an effective means to give short directives regarding a specific patient's needs to any fellow physician or nurse who is part of the medical team on duty.
Are normal text messages and SMS messages considered HIPAA compliant?
If the text messages being sent or received contain PHI, the answer is no! The primary reason for this is that standard text messages are not encrypted when they are sent or received. Furthermore, when an doctor sends a text via any default messaging app on their device, there is no system in place that prevents the message from being sent to an incorrect phone number or contact. Also, should the device containing the messages fall into the wrong person's hands, the messages would easily be accessible by anyone! HIPAA legally requires that "access controls" be implemented for all electronic protected health information(ePHI). This ensures that anyone with access to a smartphone would be required to have a username and password to log into the messaging application that is used to transmit or store sensitive medical data.
There are some messaging applications like WhatsApp that automatically encrypt messages when they are sent. However, for the aforementioned "access control" reasons, many health professionals feel that WhatsApp is still not secure enough to be used for sending ePHI. Something interesting to also note as referenced in the HIPAA Journal, is that HIPAA technically doesn't require that "encryption" be implemented so long as another equivalent system is in place. Phew, this can be confusing!
Doctors that bring their own devices to work at their hospital or practice - (BYOD)
While HIPAA compliant apps and communication solutions are standard today for any hospital or physician, most doctors also regularly bring their own devices to work(BYOD). This trend of having access to one's personal smartphone while at the office or making hospital rounds leads to many doctors accidentally using the default messages app on their iPhone or iPad to send work related messages to colleagues or staff. Despite physicians knowing that the Apple Messages app is not HIPAA compliant, it can be an easy mistake for any physician to slip back into the mode of texting work colleagues via their personal iPhone since they regularly use the iPhone Messages app for everyday (non-work related) communication outside of the hospital or their practice. Most physicians are savvy enough to never text sensitive patient records with their personal iPhone, however often times text messages of a less sensitive nature (but still work related) are sent and received by doctors on their personal device.
For this reason, many physicians, doctors, and nurses now choose to make it a regular practice to backup and save their personal iPhone text messages to their HIPAA compliant computer, and then delete their iPhone text messages from their iPhone. This ensures that all text messages on their non-work smartphone are copied safely and backed up to their HIPAA compliant hard drive. Doctors then have the peace of mind knowing that, should the need ever arise, they can easily print, email, or access a PDF of all work-related text messages stored on their personal iPhone or iPad. This is also helpful for hospital staff who need to document and print text messages from co-workers for human resources or any other on-the-job issues.
How to save physician's text messages on any personal iPhone
It's important to note that if you plan to export text messages from your iPhone that may have sensitive information to your computer, then you want to make sure that your computer hard drive is encrypted for HIPAA compliance. Here are some suggestions for tools for Windows PCs to set up an encrypted hard drive. For Mac, here are instructions for using FileVault to encrypt your Mac hard drive.
Steps for doctors or hospitals to follow in order to save, print, and archive iPhone text messages:
Step 1 - Back up the iPhone or iPad via iTunes
When an iPhone or iPad is plugged into any Mac or Windows computer and iTunes version 12 is running, you will see the device icon in the upper-left portion of the iTunes window. Select the device and a summary page will appear.
Older versions of iTunes
If you still have an older version of iTunes, the button for one or more iOS devices is located in the upper-right corner of the window. Once selected, the summary page will appear. If you do not see the button for your phone in the right corner of the iTunes window, you can double-check the left-side of your iTunes window for a list. Your phone should appear under "Devices" in that list. Choose the device name in order to bring up the information window for your device.
In iTunes on the Summary page, you will see the “Back Up Now" option. When you click "Back Up Now," it will prompt your iPhone to make a local backup. If you still have issues backing up your iPhone, our FAQ article on how to back up your iPhone or iPad via iTunes can help make sure you are following the correct steps.
Step 2 - Run Decipher TextMessage on your PC or Mac
Decipher TextMessage lets you export and save all your iPhone text messages. The program runs on your computer and not directly on your device. All your data saved with Decipher TextMessage is private and secure on your personal computer and only you have access to the data. The first time you launch the software your iPhone (or any previous backups on that computer) will be present in the left-hand window of the program.
Step 3 - Select a contact whose text messages who want to save
After selecting your device in the left-hand column of Decipher TextMessage, you'll then see your iPhone contacts in the middle column like in the screenshot example above. You can navigate up and down in the middle window to find the specific work contact or phone number you are looking for.
With a contact selected, you will notice all the messages with that person in the far-right column. Select “Export” in the menu and choose the PDF option. You will be prompted to save the PDF document. We recommend saving it to the desktop so you can easily find your exported text messages.
Step 4 - View and Print Text Messages
When you open the saved PDF document containing all your text messages and attachments, you can immediately print the file. There is also an export as HTML option if you want to save the text messages to your PC or Mac and view them in your web browser. Some individuals like this option since it lets you have a separate folder containing all the attachments (photos or videos) and you can view just the pictures or videos on their own.
Conclusion - Managing text messages for doctors and medical staff
We hope that our blog about how best to manage BYOD text message data for physicians and doctors has been useful. Understanding the HIPAA compliant laws and requirements when it comes to secure messaging can be a bit complex and overwhelming when you first dive in. Almost all physicians and medical practices have HIPAA compliant messaging systems in place at their facility or office. Any doctor who also chooses to bring their own personal device to work should consider regularly transferring their text messages to a HIPAA compliant computer and then deleting work related text messages that are stored on their personal smartphone. It only takes a few moments to do so each week and it will guarantee that the physician has archived copies of the messages should the need ever arise to access them.