What is HIPAA Compliant Texting?

What is HIPAA Compliant Texting? HIPAAGuide.net

HIPAA compliant texting is when a covered entity or business associate – or a member of either’s workforce – sends a text message that includes Protected Health Information for a purpose permitted by the Privacy Rule in compliance with the applicable standards of the Security Rule.

When the Privacy and Security Rules were originally published, there were only three scenarios in which it was possible to send a text message in compliance with HIPAA.

  1. If a text message did not contain Protected Health Information (PHI).
  2. If a text message containing PHI had been requested by a patient.
  3. If a text message containing PHI had been authorized by a patient.

In all other circumstances, it was not possible to send text messages in compliance with HIPAA because text messaging software – at the time – lacked the controls required to comply with the applicable standards of the Security Rule (i.e., user authentication, data integrity, transmission security, etc.).

Over the past twenty years, technology has evolved to such an extent that there are a number of HIPAA compliant texting solutions that can be used to send text messages to colleagues, business partners, and patients. However, it is not only important that the texting solutions is HIPAA compliant, but also that it is used in compliance with HIPAA.

HIPAA Compliant Texting Solutions

The issue with texting at the time the Privacy and Security Rules were published were that most mobile devices were only capable of SMS texting. SMS texting is unsecure because messages are not encrypted and can be intercepted easily, there is no accountability for SMS texting, and no control over what happens to PHI once it has been received.

The early pioneers of HIPAA compliant texting solutions overcame these issues by encrypting messages and by adding audit trail and remote delete capabilities to their software. As the benefits of HIPAA compliant texting were realized, more vendors entered the market and existing vendors improved their solutions to stay competitive.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

However, it is important to be aware that not all texting solutions are HIPAA compliant in all situations. For example, WhatsApp is not HIPAA compliant because it lacks audit controls, while Google Chat is only HIPAA compliant when it is used to send text messages to other members of an “Organizational Unit” covered by a Business Associate Addendum.

Texting in Compliance with HIPAA

With regards to texting in compliance with HIPAA, covered entities and business associates must develop policies to guide members of the workforce when it is permitted to communicate PHI by text. HIPAA training should be provided on the policies in addition to security awareness training, and a sanctions policy enforced if workforce members violate the policies.

The training should include how to respond to a patient that requests confidential communications by text (§164.522(b)), the procedures for ensuring a HIPAA authorization to disclose PHI by text is valid (§164.508(b)), and ensuring that all disclosures of PHI consist of the minimum necessary to achieve the purpose of the disclosure.

In some circumstances, it may also be necessary to reinforce training on what is considered PHI under HIPAA. Ensuring that all members of the workforce know what is PHI will help avoid scenarios in which PHI is disclosed inadvertently or in which authorizations are obtained unnecessarily to communication patient data that does not qualify as PHI.

Further Information about HIPAA Compliant Texting

If you – as a covered entity or business associate – require further information about HIPAA compliant texting, it is recommended you speak with a HIPAA compliance expert rather than a software vendor. Some software vendors claim to be HIPAA compliant or HIPAA excepted when using their services could result in a HIPAA violation.

If you are a member of a covered entity’s or business associate’s workforce, and you are unsure about the guidelines for texting in compliance with HIPAA, it is safer not to use a HIPAA compliant texting solution until you have sought compliance advice from a supervisor or a member of your organization’s compliance team.

About Daniel Lopez
Daniel Lopez is a HIPAA trainer, passionately committed to enhancing healthcare data protection and privacy standards. As a recognized expert in HIPAA compliance, he holds the role of HIPAA specialist at The HIPAA Guide. Holding a degree in Health Information Management, complemented by certifications in data privacy and security, Daniel's academic and professional credentials are a testament to his expertise. His approach to training is both engaging and educational, catering to a range of professional needs in the healthcare sector. For further information or to benefit from his expertise, Daniel is reachable through HIPAAcoach.com or https://twitter.com/DanielLHIPAA