Do you or the facility you are employed use text messaging or a mobile device to transfer or share patient information? If yes, please be aware that you may be violating the HIPAA privacy rules.

The HIPAA privacy rule provides an individual with the right to access and amend protected health information (PHI) about the individual that is maintained in a designated record set. The designated record set includes PHI "used, in whole or in part, by or for the covered entity to make decisions about individuals."

If text messages are used to make decisions about patient care, then they may be subject to the rights of access and amendment. If the electronic device cannot provide patients with access to or amend such text messages there is a risk of noncompliance with the privacy rule.

Texting is a rising concern in the place of employment. 

Individuals should not use non-hospital or facility devices to share patient information.

If devices are provided by the facilities to transport patient information between clinicians in and out of the facility then those devices need to be registered with IT and encrypted.  On the resignation of a clinician or an electronic device then the device must be “cleaned” of all pertinent information.

Protected health Information (PHI) should not be transmitted on personal electronic devices and this should be relayed to all clinicians within health networks and private facilities.

Policies should be written to reflect these guidelines and the disciplinary actions that will be sought if personal electronic devices are found to be carrying PHI.

Source: 1. HIPAA, Public Law 104-191, 45 CFR §§ 164.524, 164.526.