HIPAA Regulations for SMS

Almost all SMS messaging platforms aren’t HIPAA Compliant. There is no HIPAA rule that particularly forbid using a “Short Message Service” to share Protected Health Information (PHI), nevertheless HIPAA does state that particular conditions must be in place before employing SMS to share PHI.

Most SMS messages are not encrypted, can’t be recalled when delivered to the incorrect recipient, and may be intercepted when using public or open Wi-Fi networks. Though systems are available to fix these issues with SMS messages, they’re seldom utilized.

Other issues can be found as a result of SMS messages being unaccountable and since copies are kept on the servers of SMS providers indefinitely. The only solution to these concerns is not to include any PHI in messages sent via SMS. Notably, the HIPAA rules for SMS likewise apply to Instant Messaging services like iMessage and WhatsApp, and to email messages too.

What Is HIPAA Saying Regarding SMS, IM and Email

Most of the HIPAA rules for SMS, IM and email are technically safeguarded by the HIPAA Security Rule. These safety measures demand the use of access controls, integrity controls, audit controls, identity authentication, and transmission security to avoid unauthorized PHI access. The following security measures are required:

  • Each authorized user should have an assigned, unique username and PIN number that he can use to send and accept PHI. This is so all messages containing PHI could be checked and recorded.
  • Any system utilized to send PHI will need a programmed logoff feature. This measure is needed to avoid unauthorized access to PHI in case a desktop computer or portable device is left unmonitored.
  • PHI has to be encrypted during transmission as a safety precaution in case a message is intercepted on a public Wi-Fi network. Encrypted messages are “unreadable, undecipherable and unusable”.

The three security measures mentioned above will make it hard for HIPAA covered entities to adhere to the HIPAA regulations for SMS, IM and email. It isn’t hard to use a channel of communication that demands users to sign in, however to keep track of all their online tasks and have them sign off when they’re done is more tricky.

The matter of encryption is likewise tricky. The encryption feature utilized to safely share PHI between healthcare providers, physicians, Business Associates and other covered entities must work across several operating systems and gadgets – and have a conventional decryption key. Because of this, there was an exemption made for the digital communication of PHI between doctors and their patients.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Mastering the HIPAA Rules for SMS, IM and Email

The HIPAA rules for SMS, IM and email are incredibly complicated. The rules that apply to covered entities may differ according to their size, the type of service they offer and the quantity PHI they pass on. But to simplify the matter concerning HIPAA regulations for SMS, IM and email, just remember — secure messaging.

Secure messaging works similarly with SMS or IM. Secure messaging applications enable you to send and receive encrypted text messages, share graphics and facilitate group conversations. The applications work on all operating systems and gadgets, but only when a user has an approved ID with a centrally-supplied username and PIN number.

Safety measures are set up not just to avoid unauthorized PHI access on unattended desktop computer or mobile device, but additionally to prevent the copying of PHI, then keeping the PHI to an external storage device, or the delivering of PHI to a third party beyond the organization´s circle of approved users.

All activities on the system are checked and more security measures besides automatic logoff are available to safeguard the integrity of PHI. For instance, if a user´s mobile gadget is lost or stolen, administrators can remotely delete any message that contains PHI and lock up the secure messaging application.

The Advantages of Secure Messaging

Healthcare organizations enjoy certain benefits if they comply with the HIPAA regulations for SMS, IM and email. These are just a few:

  • It allows sending and receiving PHI “on the go.”
  • It is easier for doctors and community nurses to communicate with each other.
  • With the group messaging feature, communication can be fast tracked.
  • Processing hospital admissions and patient discharges won’t take as much time as before.
  • Integration with the EMR will allow the updating of patient’s notes
  • There is 27% less occurrence of patient privacy safety issues and 30% less error on medication according to a study by the Tepper School of Business at Carnegie Mellon University
About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/