Just sign the waiver...what could go wrong?

Talking with potential customers about how they interact with patients is a pretty normal agenda item for meetings at CirrusMD—after all, we help connect patients and doctors for better continuity of care through our virtual care platform.

Recently, though, we’ve noticed a recurring theme among some direct primary care physician groups we’ve met. When we ask how they’re managing communications with their patients, they respond that they’re giving out the doctor’s cell phones so they can treat patients via SMS text message.


Just this past spring, the Joint Commission ended its five-year-old ban on text messaging, recognizing the value of messaging for the delivery of care, with the caveat that “a secure text messaging platform [be] used and the required components of an order are included.”

So the obvious follow-up questions are how are the text messages not a HIPAA violation and how are they protecting patient information? Usually the response is simple: patients sign a waiver.

The problem here is two-fold: 1) SMS text messaging is inherently not HIPAA compliant, and 2) HIPAA waivers don’t allow you to insufficiently secure your patients’ personal health information.

Start at the beginning, what does it mean to be HIPAA compliant? The Health Insurance Portability and Accountability Act (HIPAA) sets the guidelines for organizations with access to sensitive Personal Health Information to protect that information on behalf of patients. Among other things, HIPAA and its corresponding rules require information be protected or encrypted both at rest and when in transit.

So why aren’t text messages HIPAA compliant? Your average, everyday text message fails to meet the standards of HIPAA because there is no accountability for the protected health information (PHI) in these messages. The sender of the message has no control over who receives the message, it could be sent to the wrong person, edited before being forwarded to a third party, or intercepted along the way. Plus, SMS texts are stored unencrypted on telecom carriers’ servers indefinitely. Furthermore, companies like Verizon, AT&T, and Sprint aren’t signing business associate agreements with each healthcare provider, which is a requirement for anyone who has access to PHI—an arrangement that would require those companies maintain HIPAA compliance themselves.

But signing the waiver means the doctor can do whatever they want with my information, right? WRONG! The Department of Health and Human Services says, “signing [a waiver] does not mean that you have agreed to any special uses or disclosures (sharing) of your health records.”

Just because a patient has signed a HIPAA waiver, doesn’t suddenly mean they’ve given up all their rights and a doctor can start sending their PHI via text. The HIPAA Privacy Rule allows providers to communicate information with their patients; however, to protect the patient’s privacy, doctors must limit the information that’s disclosed. Given the intrinsic risks of SMS text messaging, there just isn’t a way for a doctor to treat a patient via text message without violating HIPAA.

So, how are these physician groups getting around the law? In short, they’re not. Rather, they’re practicing medicine with a hope and prayer that nothing goes wrong or that they don’t lose their mobile device with unsecured data on it, potentially leading to a complaint being filed with HHS. If they’re found guilty of the violation they face fines of up to $50,000 per violation and up to ten years in prison. It isn’t clear how HHS would quantify each violation for a HIPAA breach from text messaging, but if they determined that it was $50,000 per insecure text message sent, that could add up very quickly.

Even if the waiver was all it took to get around HIPAA, treating patients via insecure text messaging promotes discontinuity of care because there is no integration with the patient’s electronic medical record. That disconnect means that for another provider to be aware of a patient’s recent encounter, the original doctor would have had to manually go into the patient’s health record and document the situation—a practice that takes time providers just don’t have. Additionally, this disjointed approach to care means patients are missing out on the continuity of care that leads to better outcomes.

At CirrusMD, our platform allows patients and providers to securely connect using the most common form of communication in 2016, text messaging. However, because the messaging application is incorporated into our HIPAA compliant app that’s integrated with the provider’s EMRs, HIEs, and patient portals, patients are getting the best virtual care possible, without putting their information at risk.

In short, if you’re thinking about just having your doctors hand out their cell phone numbers, know that implementing a comprehensive virtual care offering will save you a lot of headaches, give your patients better access to care and put you back within the law.