HIPAA Compliant Text Messaging: How Does HIPAA Apply to Texting?

Research shows that 63% of individuals prefer to do business with companies that offer SMS as a form of contact over those that don’t (1). 

Communicating via texting with patients and employees appears to be a quick and easy method. Various healthcare organizations are evaluating whether to increase their text message approach considering its rising popularity. However, healthcare organizations are hesitant to adopt SMS because of one concern: Health Insurance Portability and Accountability Act (HIPAA) compliance. 

Although texting appears straightforward and safe, for healthcare organizations, texting needs to meet certain criteria to be properly safeguarded. In other words, text messaging needs to be HIPAA-compliant. Let’s find out how HIPAA applies to text. 

How Does HIPAA Apply to Texting? 

Many healthcare professionals prefer texting because it’s quick and easy. This method allows them to communicate efficiently with their co-workers and their patients via cell phones. 

However, to safeguard against identity theft and data breaches, text messages that involve a patient's protected health information (PHI) must adhere to HIPAA standards and guidelines. 

To protect the privacy and security of PHI, HIPAA laws provide regulations for data being transmitted, including text messaging. They assist in preventing any breaches that could disclose patient PHI. A breach is defined by the HIPAA Security Rule as the acquisition, access, use, or disclosure of PHI by an unauthorized individual (2).

Ensuring all staff, affiliates, doctors, and outside contractors and vendors adhere to HIPAA's regulations for creating technical safeguards helps healthcare organizations enforce HIPAA compliance for texting. This is crucial for healthcare workers who send and receive text messages on their phones.

Are Text Messages HIPAA Compliant? 

Many healthcare organizations and employees may be unsure if HIPAA-compliant text messages are possible. However, regarding HIPAA’s data access regulations, SMS falls short of the legal requirements.

Unfortunately, text messaging is typically not HIPAA compliant. However, workarounds are possible to make texting HIPAA compliant, but they are unlikely. This means it is safer for Covered Entities to avoid texting PHI than to risk facing a fine for HIPAA violations (3).

Even though HIPAA does not explicitly prohibit texting PHI, HIPAA compliance requires that certain security measures be taken to protect PHI while it is in transit and at rest. Controls must also be in place regarding who has access to PHI and how authorized staff handles PHI.

Consequently, while you can determine the phone number that receives an SMS, you have no control over who reads it. Text messages sent to a patient's phone run the risk of being seen by anyone who can unlock the phone (3).

This absence of access controls is made more difficult because data audits can't be performed on regular text messaging services. Due to their ability to identify security flaws and data breaches, these audits are crucial to HIPAA compliance.

Since you can’t control or run a data audit on who reads an SMS, your messages containing PHI could be compromised without your knowledge. Setting up safeguards is crucial, so this can’t happen, but standard texts can make adding safeguards impossible. 

Another HIPAA standard is to encrypt medical data. Encrypting data prevents hackers from accessing private data. However, standard text messages aren’t encrypted, and it’s incredibly challenging to encrypt a text message using a standard service (3). 

Using a standard text messaging service to communicate patient data is not HIPAA compliant, and doing so could lead to significant legal issues for a healthcare organization. Not all data is, however, regarded as PHI. You can transmit specific information via text message; you need to know what is and is not HIPAA-compliant.

When Is Text Messaging HIPAA Compliant?

Most text messages are not HIPAA compliant. This may be because texting (3): 

  • Is not encrypted 
  • Cannot be recalled if sent to the incorrect recipient 
  • Can be intercepted on public Wi-Fi networks 

There are methods to fix these text messaging problems, but they are rarely applied.

Additional problems occur due to text messages (3): 

  • Being unaccountable
  • Copies remaining on the servers of service providers indefinitely 

To solve these problems, refrain from including any type of PHI in text messages. 

Although using SMS to share Protected Health Information (PHI) is not explicitly prohibited under the HIPAA standards for SMS, they do specify that certain requirements must be met beforehand.

HIPAA permits Covered Entities to text patients with health information if they have authorization from the patient to communicate via SMS. Additionally, covered entities must also warn patients of the possibility of unauthorized disclosure. Documentation is required for both the authorization and the warning (4).

Another more complex scenario in which texting is HIPAA compliant includes employers who offer onsite clinics as an employee health benefit, who offer self-insured health plans for employees, or who act as an intermediary between staff, healthcare providers, and health plans (5). 

After a natural disaster like an earthquake or hurricane, the US Department of Health and Human Services (HHS) may also decide to exempt the HIPAA text messaging policy. In some situations, some, but not all, regulations regarding texting patient data may be waived. The waiver may only be in effect for a predetermined time or be restricted to specific Covered Entities, such as healthcare providers, in a specific location (4). 

Lastly, HIPAA-compliant text messages may be possible when the Covered Entity has put in place a solution, such as a messaging app that is HIPAA compliant and includes the controls and encryption required to support HIPAA text messages. Even while using these apps, it is still important to follow HIPAA Security Rule's physical, technical, and administrative safeguards and the Minimum Necessary Standard (6). 

Following HIPAA's text messaging policy is crucial to avoid security breaches when sending text messages to patients. Healthcare organizations and staff can guarantee the security and safety of their organization and patients when communicating by adhering to HIPAA regulations. 

For more information on how to stay HIPAA compliant, sign up for one of our HIPAA courses or head to the US Department of Health and Human Services (HHS) website.