What are the HIPAA Rules Regarding Text Messaging?

HIPAA Rules Regarding text Messaging - HIPAAGuide.net

The HIPAA Rules regarding text messaging are that it is permissible for healthcare providers to send Protected Health Information by SMS text if a patient has initiated a communication by SMS text or exercised their right to request confidential communications by SMS text. In all other cases, it is important to understand when texting may be in violation of HIPAA.

Any confusion regarding texting being a violation of HIPAA comes from the complex language used in the Privacy and Security Rules. These rules do not refer to texting as such, but they do lay down certain requirements that apply to electronic communications in the healthcare sector.

For instance, it is okay to send messages by text provided that the content of the message does not contain “personal identifiers”. It is okay for a doctor to send text messages to a patient, provided that the messages adheres to the “minimum necessary standard”. It is also okay to send information by text message when  mechanisms are implemented to comply with the technical safeguards of the HIPAA Security Rule.

HIPAA Security Rule Technical Safeguards

The HIPAA Security Rule technical safeguards are the most relevant towards addressing the question “When is texting in violation of HIPAA?”. This section of the HIPAA Security Rule refers to access controls, audit controls, integrity controls, methods for ID authentication, and transmission security mechanisms when PHI is being transmitted digitally. The requirements include:

  • Access to PHI must be restricted to authorized users who require the information to perform their work duties.
  • A system must be put in place to monitor the activity of authorized users when accessing PHI.
  • Those with authorization to access PHI must confirm their identities with a unique, centrally-issued username and PIN.
  • Policies and procedures must be established to stop PHI from being inappropriately changed or destroyed.
  • Data transmitted beyond an organization’s internal firewall must be encrypted to make it unusable if it is intercepted in transit.

Standard “Short Message Service” (SMS) and “Instant Messaging” (IM) text messages often fail to meet all of those requirements. Senders of SMS and IM text messages have no control over the message after it has been sent. Messages could easily be sent to an incorrect recipient, forwarded on by an intended recipient to an individual unauthorized to view the information, and SMS and most IM platforms do not encrypt data, so it is easy for messages to be intercepted in transit and viewed. Further, copies of SMS and IM messages may be kept on service providers’ servers indefinitely.

There is no message accountability with SMS and most IM text message services. It is therefore recommended never to use these communications platforms for sending PHI without a patient’s authorization. To send PHI via SMS or via an IM service that is not covered by a business associate agreement may be a violation of HIPAA.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

How This Causes an Problems for Healthcare Organizations

Texting in violation of HIPAA is a major issue for healthcare organizations. In recent years, an increasing number of medical professionals have come to rely on their personal mobile devices to support their workflows. Indeed, many healthcare organizations have been keen to put in place BYOD policies because of the speed and convenience of modern technology and due to the financial benefits that can be gained from allowing the use of personal devices in the workplace.

However, with approximately 80% of medical professionals now using personal mobile devices, there is a serious risk of PHI being accessed by or disclosed to unauthorized individuals. Most text messaging apps on mobile devices require no log-in or log-off credentials by default, so if a mobile device is lost, stolen, or left unattended there is a major risk that messages containing PHI that are stored on the device could be disclosed impermissibly.

Address Text Messaging Issues with a Secure HIPAA-Compliant Messaging Solution

Secure text messaging solutions resolve texting issues by containing PHI within a private communications network that can only be accessed by authorized users. Access is granted via secure messaging apps that function in the same manner as commercially available messaging apps, but with security mechanisms in place to stop an accidental or deliberate disclosure of PHI.

When using the app, authorized users enjoy the same speed and convenience as SMS or IM text messaging, but cannot send messages containing PHI outside of the communications network, copy and paste data outside the app, or save it to an external storage device. Should there be a duration where the app is inactive, the user is automatically logged off.

All activity on the communications network is monitored and an audit trail is maintained. With these apps, in contrast to SMS and IM services, there is 100% message accountability. If a mobile device onto which the secure messaging app has been downloaded is lost or stolen, administrators can remotely wipe all content sent to or created on the app and PIN-lock it to stop further use.

With these apps healthcare professionals have the convenience of text messaging, without the risk of committing an accidental HIPAA compliance violation.

About Daniel Lopez
Daniel Lopez is a HIPAA trainer, passionately committed to enhancing healthcare data protection and privacy standards. As a recognized expert in HIPAA compliance, he holds the role of HIPAA specialist at The HIPAA Guide. Holding a degree in Health Information Management, complemented by certifications in data privacy and security, Daniel's academic and professional credentials are a testament to his expertise. His approach to training is both engaging and educational, catering to a range of professional needs in the healthcare sector. For further information or to benefit from his expertise, Daniel is reachable through HIPAAcoach.com or https://twitter.com/DanielLHIPAA