One day, Signora Goat texted Signor Goat about his secret. The conversation went something like this:
Later that evening, once Signor Goat had a chance to calm down, he sat down to educate his lovely Signora. “Signora,” he began, “I know you didn’t mean to put my secret at risk when you texted me today, but you did.”
“What do you mean, Signor?” Signora replied.
“Well,” Signor continued, “let me tell you what happens when you send me a text message. You were using an SMS, or Short Message Service, format to text me today. SMS text messages are copied with the exact content you wrote and stored in many different locations. At a minimum, a copy of your message outlining the details of my secret is saved on your phone after you finish typing it, another copy is placed on our cell phone provider’s servers, and then a copy of your message is saved on my phone. It’s like writing my secret down on a sticky note three times, and putting one in your purse, mailing one to our cell phone provider, and sticking one in my pocket!”
“Hmphhh,” Signora protested, “It is not like writing your secret on a post it note, because my phone is personal and private and so is yours!”
“You might feel that way, Signora, but what if your phone was stolen? Or lost? What if you decided to upgrade to the new iPhone 7 and gave this one away to your cugino? Would you be sure that my secret was still safe? And, what about my phone? The message is there, too, and it could be lost, stolen, or improperly disposed of!”
“Ok, then I will delete my message from my phone - and,” Signora commented, trying to pre-empt Signor’s counter, “I will make sure you delete the message, too!”
“I’m glad you are willing to go to that much trouble to protect my secret, Signora, but how will you delete the copy of my secret that is now on our cell phone provider’s server?”
“Signor, the cell phone company doesn’t care about your secret!”
“Maybe not, Signora, but the fact is they could see my secret if they wanted to - and what it someone hacked into their servers? The hacker would learn my secret, too!” Signora was finally starting to feel badly about the well-intentioned mistake she had made.
Signora apologized. “I’m sorry, Signor. I did not realize how many ways someone could find out what I texted over my personal phone!”
“I forgive you, Signora. But please remember that text messages do not even use encryption - which means that any one that intercepts our message knows exactly what we are saying to each other!” Signora and Signor hugged, and shared a moment of tenderness, both glad to be finally understanding the other.
Even if you don't have a hyper confidential secret, we can all learn from Signora's mistake and lacking knowledge. Texting is a risky venue for any piece of information you consider confidential - be it a secret, a credit card number, or confidential health information. As Signor Goat explains, there are simply too many copies created by the technologies that send SMS messages. And, those copies typically aren’t encrypted or protected in any other way. This is one major reason text messaging can be a violation of HIPAA; if PHI is sent in a text across an unprotected network, the risk that the data can be inadvertently disclosed - or worse, breached - is very high. In the same way that Signor Goat asked Signora Goat to protect his secret, HIPAA asks our health care community to protect health information about patients. And, generally, text messaging health information does not appropriately protect that information. Luckily, products like pMD’s HIPAA compliant secure messaging provides an easy, convenient way to send messages that work and feel very similar to the text messaging that everyone knows and loves. But, pMD secure messaging offers several other protections like full end to end encryption, the ability to remote wipe content if a device is lost or stolen, and the ability to delete messages from both the locally encrypted device and also from the encrypted server used by pMD to send the message. These tools help providers and practices address risks associated with sending private health information via a text message, thus reinforcing strategies to uphold their overall HIPAA compliance plan.