Many healthcare providers prefer to use text messaging to communicate with each other and their patients on personal mobile devices because it’s quick, easy, and convenient. However, if text messaging contains a patient’s protected health information (PHI), the text message has to be compliant with the Health Insurance Portability and Accountability Act’s (HIPAA) rules and best practices to prevent identity theft and data breaches. 

HIPAA rules provide regulations to help ensure the privacy and security of health data including data in motion or transmission (such as texting). They also help prevent any breaches that could compromise sensitive patient information. According to the HIPAA Security Rule, a breach is an acquisition, access, use, or disclosure of PHI by an unauthorized individual.

One of the ways healthcare organizations can enforce HIPAA compliance through texting is by ensuring that all employees, affiliates, physicians, and third-party contractors and vendors know and apply HIPAA’s guidelines for establishing technical safeguards for protecting PHI. This is especially important for healthcare professionals who are sending and receiving text messages on any mobile device.

Below are five HIPAA rules as it relates to text messaging that will help you understand how to securely manage health information while reaping the benefits of a secure messaging solution.


HIPAA Rules Regarding Texting

1. Establish procedures and policies to manage who is authorized to access PHI when texting.

HIPAA requires that healthcare organizations and business associates safely manage who has the privilege and/or right to access, change, or distribute sensitive health data.  Access to PHI should be limited to only the amount of information necessary to perform a job. 

It is up to each covered entity to determine what kind of access controls, software, and systems they use to manage authorized access to PHI as it relates to text messaging software. However, the HIPAA Security Rule requires the following safeguards to ensure HIPAA compliance:

Unique User IDs: PHI must be accessed by someone with a unique user identification name or number that can be tracked. This allows covered entities to hold authorized users accountable for their activity while logged into a system containing PHI. Secure text messaging programs require authorized users to use a unique ID to access, send, and receive any HIPAA compliant text.

Emergency Access Procedures: In the event of an emergency, covered entities must have operational workflows to access PHI. These should take into consideration what kind of emergencies may require urgent access and who should be granted rights to access PHI in emergency scenarios.

Automatic Logoff: Any software containing or integrated with PHI, including a secure text messaging platform, must automatically log users off after a predetermined time of inactivity. This ensures no one who is unauthorized can access PHI via text messages on someone else’s device while it’s still open.

Messaging Encryption: To prevent unauthorized access to PHI (or text messages), secure text messaging must be encrypted. This makes it unreadable by anyone who has not been granted permission to access it, especially if a device is stolen or lost. When securely texting PHI to another user in the same organization from a mobile device or organizational computer, both the sender and receiver must meet the encryption requirements for a PHI-containing message in transit and at rest.  


2. Implement audit and reporting controls for HIPAA compliant texting.

 The HIPAA Security Rule requires that covered entities and their business associates implement comprehensive audit controls and reporting procedures to document and review activity related to the use of PHI. This allows them to analyze, identify, and mitigate any risks that may surface in the technical infrastructure and software security of PHI-related technology.  The HIPAA rule applies to any secure text messaging platform that sends messages, stores, or manages protected health information on organizational or personal computers, including mobile devices. It is up to the covered entity to determine what audit controls are reasonable and appropriate to protect patient data while messaging.


3. Ensure PHI is not improperly changed or destroyed during texting.

Maintaining the integrity of sensitive health information is important, which is why HIPAA states that PHI must not be “altered or destroyed in an unauthorized manner”. If patient information is accidentally or intentionally changed by human error or an information system failure, the integrity of the data is compromised.

The HIPAA Security Rule requires covered entities to establish safeguards to ensure the integrity of PHI through security processes or functions. In regards to secure HIPAA compliant texting, there must be technical safeguards in place to verify that data integrity is not at risk of being compromised when it’s distributed via secure messaging.


4. Provide proof of identity before sending and receiving messages. 

In compliance with HIPAA, all users who access PHI must be able to prove that they are who they say they are by authenticating their identity. A secure text messaging program can comply with this rule by requiring users to login with something unique to them. A user is authenticated when the unique credentials match what is stored in the system. Methods of authentication in compliance with HIPAA may include a:

  • Password or pin
  • Smart card, key, or token
  • Biometric identifiers, such as a fingerprint, facial recognition, or voice pattern 

For healthcare professionals who are sending and receiving HIPAA compliant text messages from their mobile devices, they must use some sort of credential to authenticate that they are who they say they are.


5. Guard against unauthorized access of PHI during transmission.

Finally, when it comes to HIPAA rules and secure messaging, it’s important to establish privacy and security measures that prevent unauthorized access to PHI from any mobile device while it’s being transmitted electronically for texting. For compliance when secure texting, covered entities must meet the following two specifications:

Protect the integrity of PHI during transmission. Similar to the HIPAA Security Rule for ensuring PHI remains unchanged or destroyed by unauthorized users while it’s being stored or accessed, covered entities must ensure “the data that is sent is the same as the data received”. One way covered entities ensure data integrity during transmission when messages are sent, is by establishing network communication protocols.

Encrypt PHI during transmission. And, like the HIPAA recommendations for minimizing unauthorized access to stored PHI, covered entities should ensure PHI is encrypted when it’s being sent over the internet. Because secure texting relies on an internet connection to send and receive messages, HIPAA requires entities to use encryption and other reasonable safeguards to ensure data is encoded or unreadable to any unauthorized user. It is up to each entity to determine how they use encryption by assessing how and when PHI is transmitted via texting, as well as the level of risk involved.

When communicating patient information via secure texting on personal mobile devices, following HIPAA guidelines is imperative to prevent security breaches. By complying with HIPAA rules, healthcare organizations and professionals can ensure the safety and security of their practice, while offering patients the convenience of seamless communication with their providers.


Ready to securely connect with your patients using HIPAA-compliant texting? We can help.