Many healthcare providers prefer to use text messaging to communicate with each other and their patients on personal mobile devices because it’s quick, easy, and convenient. However, if text messaging contains a patient’s protected health information (PHI), the text message has to be compliant with the Health Insurance Portability and Accountability Act’s (HIPAA) rules and best practices to prevent identity theft and data breaches.

HIPAA rules provide regulations to help ensure the privacy and security of health data, including data in motion or transmission (such as texting). They also help prevent any breaches that could compromise sensitive patient information. According to the HIPAA Security Rule, a breach is an unauthorized individual’s acquisition, access, use, or disclosure of PHI.

One of the ways healthcare organizations can enforce HIPAA compliance through texting is by ensuring that all employees, affiliates, physicians, and third-party contractors and vendors know and apply HIPAA’s guidelines for establishing technical safeguards for protecting PHI. This is especially important for healthcare professionals who send and receive mobile phone texts.

Below are five HIPAA rules related to text messaging that will help you understand how to securely manage health information while reaping the benefits of a secure messaging solution.

HIPAA Rules Regarding Texting

1. Establish procedures and policies to manage who is authorized to access PHI when texting.

HIPAA requires that healthcare organizations and business associates safely manage who has the privilege and/or right to access, change, or distribute sensitive health data. Therefore, access to PHI should be limited to only the amount of information necessary to perform a job.

It is up to each covered entity to determine which access controls, software, and systems they use to manage authorized access to PHI related to text messaging software.

However, the HIPAA Security Rule requires the following safeguards to ensure HIPAA compliance:

Unique User IDs

PHI must be accessed by someone with a unique user identification name or number that can be tracked. This allows covered entities to hold authorized users accountable for their activity while logged into a system containing PHI. Secure text messaging programs require authorized users to use a unique ID to access, send, and receive any HIPAA-compliant text.

Emergency Access Procedures

In an emergency, covered entities must have operational workflows to access PHI. These should consider what kind of emergencies may require urgent access and who should be granted rights to access PHI in emergency scenarios.

Automatic Logoff

Any software containing or integrated with PHI, including a secure text messaging platform, must automatically log users off after a predetermined time of inactivity. This ensures no unauthorized access to PHI via text messages on someone else’s device while it’s still open.

Messaging Encryption

Secure text messaging must be encrypted to prevent unauthorized access to PHI (or text messages). This makes it unreadable by anyone who has not been granted permission to access it, especially if a device is stolen or lost. When securely texting PHI to another user in the same organization from a mobile device or organizational computer, both the sender and receiver must meet the encryption requirements for a PHI-containing message in transit and at rest.


2. Implement audit and reporting controls for HIPAA-compliant texting.

The HIPAA Security Rule requires that covered entities and their business associates implement comprehensive audit controls and reporting procedures to document and review activity related to using PHI. This allows them to analyze, identify, and mitigate any risks in PHI-related technology’s technical infrastructure and software security. The HIPAA rule applies to any secure text messaging platform that sends messages, stores or manages protected health information on organizational or personal computers, including mobile devices. Therefore, it is up to the covered entity to determine what audit controls are reasonable and appropriate to protect patient data while messaging.


3. Ensure PHI is not improperly changed or destroyed during texting.

Maintaining the integrity of sensitive health information is essential, which is why HIPAA states that PHI must not be “altered or destroyed in an unauthorized manner.” If patient information is accidentally or intentionally changed by human error or an information system failure, the integrity of the data is compromised.

The HIPAA Security Rule requires covered entities to establish safeguards to ensure the integrity of PHI through security processes or functions. For example, regarding secure HIPAA-compliant texting, technical safeguards must be in place to verify that data integrity is not at risk of being compromised when distributed via secure messaging.


4. Provide proof of identity before sending and receiving messages.

All users who access PHI must authenticate their identity. A secure text messaging program can comply with this rule by requiring users to log in with something unique to them. A user is authenticated when the unique credentials match what is stored in the system. Methods of authentication in compliance with HIPAA may include:

  • Password or pin
  • Smart card, key, or token
  • Biometric identifiers, such as a fingerprint, facial recognition, or voice pattern

Healthcare professionals who send and receive HIPAA-compliant text messages from their mobile devices must use some credentials to authenticate that they are who they say they are.


5. Guard against unauthorized access to PHI during transmission.

Finally, when it comes to HIPAA rules and secure messaging, it’s essential to establish privacy and security measures that prevent unauthorized access to PHI from any mobile device. At the same time, it’s being transmitted electronically for texting.

For compliance when secure texting, covered entities must meet the following two specifications:

Protect the integrity of PHI during transmission

Similar to the HIPAA Security Rule, covered entities must provide “the data that is sent is the same as the data received.” One way covered entities ensure data integrity during transmission is by establishing network communication protocols.

Encrypt PHI during transmission

Like HIPAA recommendations, covered entities should ensure PHI is encrypted when sent over the internet. Because secure texting relies on an internet connection to send and receive messages, HIPAA requires entities to use encryption and other reasonable safeguards to ensure data is encoded or unreadable to unauthorized users. It is up to each entity to determine how they use encryption by assessing the level of risk involved.

When communicating patient information via secure texting on personal mobile devices, following HIPAA guidelines is imperative to prevent security breaches. By complying with HIPAA rules, healthcare organizations and professionals can ensure the safety and security of their practice while offering patients the convenience of seamless communication with their providers.


Ready to securely connect with your patients using HIPAA-compliant texting? We can help.