OCT 01, 2015
Question: I am a third-year resident and recently responded to this question from a second-year resident following up on a recently admitted patient. I knew exactly who he was asking about, and I replied by text, “She was admitted, DDX is filamentary fungal keratitis. Pretty rare. She’s in 517. Take a look.” I was using my personal cell phone, which is not encrypted. Later, I learned that this is considered a HIPAA breach because the text included enough information that the patient could possibly be identified by people in the community. Can patients ever be discussed via text without violating patient privacy?
Answer: Although It is common for health care providers to access and relay protected health information (PHI) to other providers using mobile devices, doing so is risky. This is because the devices are small, portable, easily visible to others, unlikely password protected or encrypted, likely to connect with Wi-Fi (further risking interception), and highly vulnerable to being stolen.
If you choose to communicate this way, be sure to use an encrypted, password-protected device. When discussing patients you must remove any patient information that could be used to identify them. Per HIPAA, there are 18 identifiers of PHI - they include everything from the patient’s social security number to the vehicle identification number of their automobile.
All communications with patients, the public and colleagues, whether via social media or in more traditional frameworks, must adhere to appropriate standards of ethics and professionalism in order to maintain the public’s trust in the medical profession. Your training facility likely has a program for trainees about HIPAA and patient privacy. Take advantage of what information is available because you can’t plead ignorance once you’ve been the source of a leak.
For more information on HIPAA, visit http://www.hhs.gov/ocr/privacy/index.html. To submit a question for this column, contact the Ethics Committee staff at ethics@aao.org.