By Sharon DiRienzo, Interim Vice President, Patient Safety and Quality; John Mitchell, Director, MLH Cardiovascular Services and Lankenau Heart Institute; and Barbara Wadsworth, Senior Vice President and Chief Nursing Officer
The use of texting to transmit protected health information (PHI) or to provide patient orders is not permissible.
Texting via personal devices is a common occurrence in today’s society. For many providers and staff, personal devices have replaced alpha-numeric pagers as a means to receive communications. This ready availability lends itself to an easy drift into believing the use of non-encrypted devices can be utilized to take photos of wounds, reports, results, or send orders.
- MLH policy Transmission Security for Electronic Information Assets provides guidance in this area.
- The Joint Commission (TJC) determined that although its prior data privacy and security concerns had been addressed, concerns remained about transmitting text orders even when a secure text messaging system is used. In collaboration with the Centers for Medicare & Medicaid Services (CMS), TJC developed the following recommendations:
- All health care organizations should have policies prohibiting the use of unsecured text messaging—that is, short message service (SMS) text messaging from a personal mobile device—for communicating protected health information
- The use of secure text orders is not permitted at this time.
- Orders for patients will not be permitted via the use of texting.
- Sending images via text message is not permitted.
- For cases where results of studies need to be relayed, physicians should be logging on to the EMR to review. If that is absolutely not feasible, under urgent circumstances, the document containing PHI could be scanned and emailed to the physician’s mlhs.org email
- When sending email containing confidential information (e.g. ePHI), the sender should also type the word “encrypt” anywhere in the subject line of the email to ensure that it will be encrypted.
- There should not be further emails regarding the patient’s status, etc. as we risk shadow documentation and information that should be contained in the record documented outside of it.