Resource Library

In the digital practice — where sensitive business and patient information is stored electronically — ransomware is one of the most devastating forms of malware. It works by encrypting or blocking access to sensitive files and demanding payment to restore access.¹ The loss to a healthcare practice — and its patients if medical records access is blocked — could be devastating. If the attack is successful, it is nearly impossible to recover the data without paying the ransom.

A 2023 survey found that more than a third of U.S. adults—40%—use health apps to achieve fitness goals and track their health, an increase of 6% since 2018, while more than a third use wearables, an increase of 8% since 2018.¹ On the clinical side, roughly a third of physicians, residents, and medical students believe data from consumer health apps and wearables—aka, mHealth—can be very beneficial to patients but they also feel largely unprepared to incorporate it into their practice.²

Text messaging has changed the way we communicate with each other. Like most people, healthcare team members use their mobile devices at work,^1,2,3 and texting about patients is common.⁴ Texting with patients and other members of the healthcare team has risks and benefits.

Texting protected health information (PHI) without proper safety and encryption processes in place could result in HIPAA/HITECH violations, and noncompliance with CMS and accreditation requirements for secure text messaging, and violation of state medical information confidentiality laws. Because PHI goes where the phone goes, ensuring the privacy and security of PHI sent by text messaging can be challenging.

The medical record is not the forum for blame, personal attacks, or finger pointing.¹ Text messages relating to patient care should be considered part of the medical record (whether they are transferred to it or not), and the same rule about appropriateness of forum should apply. If something about patient care is important enough to be texted, it should be included in the medical record. If it is something that does not belong in the medical record, then it should not be texted. It seems clear that the members of the healthcare team texting each other in the following case study did not expect their text messages to be used against them in the malpractice lawsuit.