Risk Management Tools & Resources


Ensuring HIPAA Compliance in Text Messaging


Marcy A. Metzgar

Many healthcare providers and staff members find that text messaging provides quick access to the information they need to make healthcare decisions and is a convenient method for communicating with other providers and patients. Yet, healthcare providers and staff members need to be cognizant of HIPAA Privacy and Security Rules when using text messaging to avoid violating them.

Typical short message service (SMS) texting does not offer the security necessary for sending protected health infomation (PHI). As a result, patient privacy might be compromised if unauthorized individuals can view texted data. Additionally, multiple carriers might be involved in relaying and routing text messages, messages can remain on servers in unencrypted formats, and no guarantee exists that the intended person will receive and read the message.1 If unsecure texting results in HIPAA violations, costly penalties could ensue.

In some situations, standard text messaging may comply with HIPAA. For example, the HIPAA Journal explains that healthcare providers may send text messages to patients only if the content of the message does not include "personal identifiers" and the messages comply with the "minimum necessary standard."2 Healthcare providers also must warn patients about the risks of communicating personal information over an unencrypted channel.

To ensure HIPAA compliance in texting, healthcare organizations should use secure messaging systems and have policies and procedures in place that comply with the HIPAA Security Rule's administrative, physical, and technical safeguards. The technical safeguards are particularly relevant to the electronic transfer of PHI via texting. These safeguards address concerns such as access controls, audit controls, integrity control, methods for ID authentication, and transmission security mechanisms when PHI is being transmitted electronically.3

When evaluating potential messaging systems, healthcare organizations should seek technology that offers multi-level encryption (e.g., encryption of stored data, transmitted data, and data within the application). The technology also should be capable of operating on various devices, such as mobile phones running various operating systems, tablets, and desktop computers.4 Other features of a secure text messaging system to consider include:

  • Data storage on a secure private server with backup
  • A remote option for removing/disabling the application from a mobile device in the event that the device is lost or stolen
  • Automatic logout after a period of inactivity
  • The ability to function on various wireless frequencies and Wi-Fi to avoid hospital dead zones
  • The ability to track and confirm message delivery
  • The ability to set a maximum message data life (e.g., 30 days)5

Healthcare organizations also should consider the potential benefits of comprehensive messaging systems, rather than single-purpose systems. Comprehensive messaging systems should easily integrate with the organization's calendar, directory, customer relationship management system, single sign-on capabilities, and document-sharing service.6

Another consideration is selecting a messaging system that offers instant access to documents, images, and resources within conversations, so healthcare providers and staff don’t have to switch apps (or context) to access critical information.

Hospitals and other healthcare organizations also need to determine how text messaging activities should be incorporated into their health record documentation policies. HIPAA specifies that individuals have the right to view and amend PHI used to make clinical decisions about their care, which might include information sent via text messages. As such, organizations that allow text messaging should develop policies "requiring annotation of the medical record with any ePHI that is received via text and is used to make a decision about a patient."7

Additionally, hospitals and other healthcare facilities also should check with payers and accrediting organizations to see whether they provide guidance or standards related to texting. For example, the Centers for Medicare & Medicaid Services (CMS) allows for texting of patient information among members of the healthcare team if a secure platform is used, but CMS prohibits texting of patient orders. Similarly, The Joint Commission does not allow text messaging to communicate patient orders.8


1 Is text messaging HIPAA compliant? (n.d.). HIPAA Journal. Retrieved from www.hipaajournal.com/is-text-messaging-hipaa-compliant/

2 Is texting in violation of HIPAA? (n.d.). HIPAA Journal. Retrieved from www.hipaajournal.com/texting-violation-hipaa/

3 Ibid.

4 Jansen, J. (2014). mHealth will drive physician demand for secure text messaging in 2014. HIT Consultant. Retrieved from http://hitconsultant.net/2014/01/08/mhealth-will-drive-physician-demand-for-secure-text-messaging-in-2014/

5 Ibid.

6 7 Advantages of HIPAA compliant texting apps. (n.d.). Zinc. Retrieved from http://content.zinc.it/Ebook_eBook-7-advantages-of-HIPAA-complaint-texting.pdf

7 Greene, A. H. (2012, April). HIPAA compliance for clinician texting. Journal of AHIMA, 83(4), 34-36

8 Centers for Medicare & Medicaid Services. (2017, December 28). Memorandum: Texting of patient information among healthcare providers (Ref: S&C 18-10-ALL). Retrieved from www.cms.gov/Medicare/Provider-Enrollment-and-Certification/SurveyCertificationGenInfo/Downloads/Survey-and-Cert-Letter-18-10.pdf; The Joint Commission. (2021, October 22 [updated]). FAQ: Can secure text messaging be used to communicate patient care orders? Retrieved from www.jointcommission.org/standards/standard-faqs/home-care/leadership-ld/000002173/

MedPro Twitter


View more on Twitter