Text Therapy & App Security in Telehealth

Please support Telehealth.org’s ability to deliver helpful news, opinions, and analyses by turning off your ad blocker.

Licensed behavioral health practitioners must be mindful of HIPAA while interacting with or discussing identifiable clients/patients through texting. These risk management procedures related to text therapy may prove helpful:

If you have billed electronically as a healthcare practitioner, you are a “covered entity” in the eyes of HIPAA. You, therefore, are legally responsible to follow all the rules set by HIPAA when treating citizens of the U.S. through text therapy as well as any other digital means. If you are in a different country, your country is likely to have its own privacy and/or security laws. Be knowledgeable of and in compliance with all such laws.
When delivering healthcare through technology of any type, consider your legal and ethical requirements related to informed consent. Have a detailed discussion about privacy and security issues related to text therapy during your informed consent process. Review your informed consent document to make sure that your practices are adequately described and all cautions are carefully listed.

Consider investigating the practices of your texting service. Here are a few precautions to take and specific software packages to consider installing on your smartphone if you choose to use such devices in your work:

Be leery of text messages, system messages, or other events on your phone that you didn’t expect or initiate. Do not respond.
Do not leave your device in a public area where it can be stolen. Running to the restroom in a cafe when leaving your phone on the tabletop while you quickly run to the restroom in a cafe is an invitation for a passerby to take your device, along with all your client names, phone numbers, and text messages.
If a security breach occurs, remember your obligations under federal law.¹In the United States, you must contact all parties involved in writing.²
Install an additional firewall a program to detect malware, spam, and message blocking on your smartphone. These can be part of a text messaging package that you purchase for your mobile phone, tablet, laptop, or desktop if these technologies are used to access text messages.
Realize that even when you delete a message from your texting program, it may still reside on the SIM card or in the circuitry of the device.³
If ever your records for any particular client/patient are subpoenaed, any device used for text therapy with that client may be confiscated by the court. If it contains texts of others in your practice or your personal life, those records then will be visible to the court.
Some professionals using mobile devices for communication with patients purchase dedicated devices and lock them in a file cabinet when not in use, because, in essence, they contain patient-related information. State law often contains regulations that require clinicians to store patient files in locked cabinets when not in use. How far you want to carry these precautions is a discussion for you to have with your telehealth-knowledgeable attorney.
At the very least, the electronic exchange of any information that can compromise patient privacy should be encrypted by HIPAA-complaint software for storage on any device.

If you accept text messages or smartphone, iPad, or other website information containing patient identifiable information on your mobile device, the following steps are even more specific safeguards you can implement. These are particularly relevant to handling text messages securely so that they can be printed or saved for clinical records:

Use a service such as Mobile Spy⁴to record text messages from Windows Mobile and Symbian OS smartphones.
Tell patients that text messages can be forwarded to the therapist’s email address via applications, which may be used on IOS and Android devices.
Some smartphones, like iPhones or Android-based systems such as Samsung, allow the owner to buy applications that can take “screenshots” (pictures) of their text messages. The screenshot can then easily be sent to an email address as an attachment to be archived.

As we mentioned above, consider your own practices, as well as those of your text therapy service. If they send texts to you in any media that is not secure (such as your free Gmail or Yahoo account), the service is not secure, regardless of their claims. To be secure, every exchange with you must be in a closed, secure environment.

1 See TBHI’s training program entitled, Legal/Ethical Issues I: Rules, Regulations & Risk Management.
2 If you use your phone to store contact information, do you have a printed list of all your patient names, numbers, and street addresses?
3 Giving your device to a friend or family can be problematic if you have not secured your patient exchanges in a private and secure software package on that device.
4 See TBHI Buyer’s Guide for more options.

Offering Text Therapy?

Therapists are finding that clients are increasingly asking for text messaging in therapy. TBHI’s online training event entitled, “Text Messaging Therapy? 12 Risk Management Considerations to Keep You Out of Hot Water” will review basic risk management approaches to using text messaging as the basis for clinical care. It will outline 12 ways in which text therapy may expose you and your client or patient to undue risk including HIPAA-compliant text messaging, types of text messaging services, and ethical codes that relate to text messaging. It will also clarify considerations for accepting employment from online text therapy companies.