Over 80% of providers surveyed by the PonemonInstitute admit that they text patient health information insecurely from their mobile devices. Providers report that texting is felt to be more efficient than any other electronic communication tool in the medical setting. Treating patients using texted information and photos has a place in the world of healthcare, but only with the correct safeguards and authorizations in place.
HIPAA and Patient Photos
Since the HIPAA Privacy Rule went into effect in 2003, disclosures of protected health information (PHI) have required a patient's written authorization. Since pictures of the patient are considered part of their health record you are able to disclose them in the same manner as other types of PHI. A patient's photograph that identifies him/her cannot be posted in public areas, such as hallways, without specific authorization from the patient. Likewise, a patient's photograph that identifies him/her cannot be used in any form of publication without the patient's specific authorization.
Clinicians might use their smartphones or tablets to take photos of patient wounds or skin conditions and then text them to a colleague. While this is a quick and convenient way for clinicians to collaborate, it is a significant HIPAA violation as PHI is being shared in a non-secure way. SMS messaging is not a secure form of communication and can result in HIPAA fines. Encrypted electronic communications are covered in our recent article entitled: "Part 3: Mobile Device(s) Policy and Procedures" posted on May 12, 2015. Requiring encryption and user authentication as security measures are two excellent ways to safeguard information that your mobile device may access, store or use.
Prior Authorization for Purposes other than Treatment Payment and Operations
When photos will be used for purposes other than Treatment, Payment and Operations (TPO), a valid HIPAA authorization must been obtained from the patient or the patient's legally authorized representative. The signed authorization must include the purpose (i.e. publication, external presentations, education and training of healthcare professionals) and describe what images will be used or disclosed. Our "HCP Authorization for Release of Patient Photographs"or another equally appropriate form should be utilized when a Patient Authorization is needed. Also keep in mind that when images are utilized for internal training or education purposes, the Minimal Necessary Rule should be followed and identifiable information removed or de-identified. Identifiable images includes facial photos, tattoos, images that include medical record, patient name, case id, or any other unique identifying information.
Again, using texted information and photos in patient care should only be allowed once you've implemented the correct safeguards and authorizations. Requiring encryption and user authentication as security measures are two excellent ways to safeguard such information. Use the "HCP Authorization to Use or Disclose Patient Images" form when such images will be used for purposes other than treatment payment and operations, and always follow the minimum necessary rule.
If you have any questions or concerns about HIPAA policies and procedures for texting and photography in relation to patient care, please feel free to comment below, send us an email at[email protected], or reach us toll-free at 855-427-0427.