What is HIPAA compliant texting?


The answer to the question “What is HIPAA compliant texting” is generally unclear. Although HIPAA does not specifically rule out sending Protected Health Information (PHI) using text, a system of administrative, physical and technical security measures has to be implemented to ensure the confidentiality and integrity of PHI when it is “in transit” – i.e. being sent between medical professionals or covered bodies.

Traditional SMS text messages – the type of message usually sent from one mobile device to another – are not HIPAA compliant. This is due to the fact that they lack encryption, there are no security control to prevent a text message being sent to an incorrect number, text messages are stored indefinitely on service providers´ servers, and text messages sent in plain text can be accessed.

Additionally, mobile devices holding PHI are often lost or stolen – potentially exposing PHI to unauthorized access if data on the devices is accessed. Consequently, without taking proper precautions to ensure the confidentiality and integrity of PHI in transit, the only way an positive response answer could be given to the question “is text messaging HIPAA compliant” is if the text message did not hold any PHI at all.

HIPAA Compliant Text Messaging

SMS messages are only one text messaging solution. There are now many text messaging solutions in including Facebook Messenger, Skype, and WhatsApp. In the case of the latter, all messages sent are encrypted, which meets certain HIPAA compliant messaging requirements, but not every one of them.

In the case of WhatsApp, messages are encrypted on the sender’s phone and remain encrypted until they are received by the receiver’s device. The messages are sent using a secure, encrypted tunnel, meeting HIPAA encryption requirements.

However, ePHI transmitted using WhatsApp is not stored in a safe manner and the access controls used are not in line with standards required by HIPAA. For instance, if you were to lose your phone, unless other security measures have been applied to the device, an unauthorized person would be able to view your messages, and any ePHI in your WhatsApp account. HIPAA compliant messaging is not only regarding encrypting data in transit. There must be acceptable access controls, audit controls, and safe storage for messages sending ePHI.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Ensuring the Integrity of PHI in Transit

A solution to the HIPAA compliant text messaging issue is to establish a secure messaging system. Secure messaging works in a similar way to text messaging in that users can type a message, add an attachment and share it to a colleague. However, security mechanisms within the secure messaging solution allow the necessary safeguards to ensure the integrity of PHI on the move.

Messages are encrypted, they can only be shared to colleagues within a covered entity´s communications network, the messages are archived on a separate, secure server and administrative controls allow the remote retraction and deletion of messages if a mobile device is missing or stolen. Due to the ID authentication process, administrators can also PIN-lock apps loaded on a mobile device.

Other mechanisms exist to define message lifespans to communications sent using a secure messaging solution, while users are automatically logged out of their secure messaging apps after a duration of inactivity to stop authorized access to PHI. All user activity is reviewed and logged to oversee how users are communicating PHI in text messages and to see that secure messaging policies are being complied with.

The Advantage of HIPAA Compliant Text Messaging

Along with ensuring the integrity of PHI on the move, there are significant advantages associated with implementing a solution to ensure HIPAA Compliant Text Messaging is in place. The monitoring of user activity plus features including delivery notifications and read receipts allow message accountability. This also minimizes phone tag and quickens the communication cycle.

The ability to send and receive PHI “on the go” helps on-call doctors and community nurses, while in-house physicians can also receive lab reports, wound pictures and test results using secure messaging. A group messaging feature allows collaboration, and can be implemented to accelerate hospital admissions and patient discharges – saving time, increasing productivity and enhancing patient contentment.

Extra benefits can arise from the integration of a secure messaging solution with an EMR. The job of updating patient notes can be delegated among healthcare workers professionals, consultants can prioritize their workflows by arranging their EMR alerts and – according to study completed in Philadelphia – “advanced EMRs” reduce medication errors (30%) and patient safety incidents (27%).

About Daniel Lopez
Daniel Lopez is a HIPAA trainer, passionately committed to enhancing healthcare data protection and privacy standards. As a recognized expert in HIPAA compliance, he holds the role of HIPAA specialist at The HIPAA Guide. Holding a degree in Health Information Management, complemented by certifications in data privacy and security, Daniel's academic and professional credentials are a testament to his expertise. His approach to training is both engaging and educational, catering to a range of professional needs in the healthcare sector. For further information or to benefit from his expertise, Daniel is reachable through HIPAAcoach.com or https://twitter.com/DanielLHIPAA