Risk Management Tools & Resources


Ensuring HIPAA Compliance in Text Messaging

Marcy A. Metzgar

Ensuring HIPAA Compliance in Text Messaging

The use of mobile phones and other wireless technology in patient care — termed “mHealth” — is a significant trend in the healthcare industry. Older technology, such as pagers, is slow compared to devices today; thus, many healthcare providers and staff members find that text messaging provides quick access to the information they need to make healthcare decisions.

Yet, healthcare providers and staff need to be cognizant of privacy and security concerns when using text messaging. Typical short message service (SMS) texting does not offer the security necessary for sending protected health information (PHI). As a result, patient privacy might be compromised if unauthorized individuals can view texted data.

Additionally, multiple carriers might be involved in relaying and routing text messages, messages can remain on servers in unencrypted formats, and no guarantee exists that the intended person will receive and read the message.1 If unsecure texting results in HIPAA violations, costly penalties could ensue.

Healthcare organizations that permit the use of mobile devices for texting health information (whether the devices are organization owned or personally owned) should implement policies to ensure that PHI sent via mobile networks complies with HIPAA regulations.

An initial consideration for healthcare organizations is determining how text messaging activities should be incorporated into health record documentation policies. HIPAA specifies that individuals have the right to view and amend PHI used to make clinical decisions about their care, which might include information sent via text messages. As such, organizations that allow text messaging should develop policies “requiring annotation of the medical record with any ePHI that is received via text and is used to make a decision about a patient."2

Security of PHI is a top concern for healthcare organizations and providers. Although HIPAA does not specifically prohibit communicating PHI through text messaging, a system of administrative, physical, and technical safeguards must be in place to ensure the integrity of the PHI “in transit.”3 Therefore, to ensure HIPAA compliance in texting, healthcare organizations must use secure messaging systems.

Additionally, hospitals and other healthcare facilities should check with their accrediting organizations to see whether they provide guidance or standards related to texting. For example, The Joint Commission requires that healthcare employees send text messages through a secured messaging platform that includes a secure sign-on process, encrypted messaging, delivery and read receipts, date and time stamps, customized message retention timeframes, and a specified contact list for individuals authorized to receive and record orders.4

When evaluating potential messaging systems, look for technology that offers multi-level encryption (e.g., encryption of stored data, transmitted data, and data within the application). The technology also should be capable of operating on various devices, such as mobile phones running various operating systems, tablets, and desktop computers.5 Other features of a secure text messaging system to consider include:

  • Data storage on a secure private server with backup
  • A remote option for removing/disabling the application from a  mobile device in the event that the device is lost or stolen
  • Automatic logout after a period of inactivity
  • The ability to function on various wireless frequencies and Wi-Fi to avoid hospital dead zones
  • The ability to track and confirm message delivery
  • The ability to set a maximum message data life (e.g., 30 days)6

Healthcare organizations also should consider the potential benefits of comprehensive messaging systems, rather than single-purpose systems. Comprehensive messaging system should easily integrate with the organization’s calendar, directory, customer relationship management system, single sign-on capabilities, and document-sharing service.7

A final consideration is selecting a messaging system that offers instant access to documents, images, and resources within conversations, so healthcare providers and staff don’t have to switch apps (or context) to access critical information.

1 Is text messaging HIPAA compliant? HIPAA Journal. Retrieved from www.hipaajournal.com/is-text-messaging-hipaa-compliant/

2 Greene, A. H. (2012, April). HIPAA compliance for clinician texting. Journal of AHIMA, 83(4), 34-36.

3 Is text messaging HIPAA compliant? HIPAA Journal.

4 McGee, M. K. (2016). Joint Commission delays lifting secure text messaging ban. InfoRiskToday. Retrieved from www.inforisktoday.com/joint-commission-delays-lifting-secure-text-messaging-ban-a-9275

5 Jansen, J. (2014). mHealth will drive physician demand for secure text messaging in 2014. Retrieved from http://hitconsultant.net/2014/01/08/mhealth-will-drive-physician-demand-for-secure-text-messaging-in-2014/

6 Ibid.

7 7 Advantages of HIPAA compliant texting apps. Zinc. Retrieved from http://content.zinc.it/Ebook_eBook-7-advantages-of-HIPAA-complaint-texting.pdf

MedPro Twitter


View more on Twitter