A first-year resident is on call for an overnight shift on a general internal medicine ward and receives a text message from the senior resident, saying that there is a patient in the emergency room who requires admission.
Which of the following would be an acceptable text message from the senior resident to the junior resident?
Come to emerg, Tom Smith (PHN 1234567890) needs admission for a PE. Bed 17
There’s a patient in ER that needs admitting. Tell u about things when u r here.
Patient in ER, PHN is 1234560–look at chest X-ray in Netcare before you come down to do the admission and tell me what u think.
Check on Rose Smith (Rm 16 ward 52) to see if her left leg cellulitis is spreading before coming to emergency to admit a patient. Here’s a picture of her leg from 2 pm this afternoon (a picture would be included in the text)
The correct answer is B, as there is no confidential health information contained in the message.
With the widespread use of smartphones and tablets, texting has become one of the most common forms of communication. It’s easy, quick and enables individuals to connect with each other from almost any location. Texting apps such as WhatsApp have also provided a common platform for individual and group communication. However, despite the convenience, texting may not be suitable for communication if texts, including images, contain confidential health information that could potentially identify an individual.
In Alberta, the Health Information Act (HIA) provides the legal framework for collecting, storing and disclosing confidential health information. As such, any electronic communication that contains confidential health information, including the transmission of such information, must meet the requirements set out by the HIA, including the requirement that a privacy impact assessment (PIA) be submitted to the Office of the Information and Privacy Commissioner of Alberta (OIPC). Failure to do so may constitute a privacy breach for which the OIPC may levy individual fines as set out by the recent HIA amendments, or other penalties as determined by the outcome of a privacy breach investigation.
In the example above, options A and C contain the patient’s personal health-care number (PHN), and D contains the patient’s name, location and medical condition. In addition, the transmission of pictures via text is typically not appropriate as “metadata” may be attached to the image data file, including date, time and the coordinates of where the picture was taken. Images may remain on a smartphone or be synced to a cloud service without the knowledge of the user.
Keeping information safe and accurate
Transmitting texts over cellular networks, or even University of Alberta or Alberta Health Services (AHS) wireless networks, may not be sufficiently secure to meet the requirements of the HIA. Before using a third-party messaging app (e.g. WhatsApp) to communicate confidential health information, a PIA would be required to be submitted to the OIPC. Even if the third-party app claims to be encrypted, its use without a PIA could still be considered a privacy breach and subject to the penalties under the HIA.
Practical errors are another important consideration. For example, patient care orders should not be sent between team members to write on a patient chart, as content errors can be made due to typos or autocorrect, and errors are possible in transcribing the text to the chart.
Even if a patient acknowledges the risk or provides consent to having their health information texted, this does not absolve the custodian or affiliate of any consequences under the HIA of not having reasonable safeguards in place.
The OIPC and the Canadian Medical Protective Association (CMPA) provide advice on texting with patients.
AHS’ Policy on Wireless Devices has the following clauses on information security and privacy:
4.1 Health, personal, and business information in the custody and control of AHS is not to be collected, accessed, transmitted, or stored on mobile wireless devices unless the mobile wireless device meets the information security requirements outlined in the Information Technology (IT) Acceptable Use Policy and applicable Information Risk Management Standards.
4.2 Collection, access, disclosure, transmission, and storage of information in the custody and control of AHS on a mobile wireless device must be in accordance with the Health Information Act (HIA) (Alberta), the Freedom of Information and Protection of Privacy Act (FOIP) (Alberta), and applicable AHS policies.
4.3 Health, personal, and business information in the custody and control of AHS may only be transmitted by Short Message Service (SMS or Text Messaging), Multimedia Messaging Service (MMS), or any other messaging application (including email) from a mobile wireless device, if the transmission is in accordance with the requirements in the HIA, FOIPP, and applicable AHS policies. Transmission of personal, health, and business information in the custody and control of AHS must meet or exceed the encryption and information security standards in place for transmission of information by electronic mail as set out in the Transmission of Information by Facsimile and Electronic Mail Policy and the Emailing Personally Identifiable Information Procedure.
4.4 Mobile wireless device users must take reasonable precautions when making a call or viewing information on a mobile wireless device to ensure that health, personal, and business information in the custody and control of AHS cannot be overheard and/or viewed by unauthorized parties.
Read the full policy here.
If you have questions regarding texting or secure electronic communication contact the FoMD’s Health Information Privacy Advisor at 780.492.7111 or firstname.lastname@example.org.
Visit the GetHIP! webpage to view archived issues here.