Is Text Messaging HIPAA Compliant?

by

Text messaging can be HIPAA compliant when a HIPAA Covered Entity or Business Associate uses an approved messaging method that supports required safeguards for electronic protected health information and workforce members follow written policies and procedures for permitted uses and disclosures.

Text messaging creates compliance risk when protected health information is sent through standard SMS or consumer messaging apps that do not provide administrative control, access restrictions, auditability, or encryption controls appropriate for protecting electronic protected health information under the HIPAA Security Rule. Devices used for messaging also introduce risk when they are shared, unsecured, lost, or configured to display message previews on lock screens.

HIPAA compliant messaging practices require a documented platform approval process, role based access controls, unique user identification, secure authentication, and encryption where implemented for messages in transit and at rest. Logging and audit controls need to support monitoring and investigations. Workforce procedures need to address message retention, deletion controls where implemented, and restrictions on copying protected health information into unmanaged applications, screenshots, or personal accounts.

Policies should restrict text messaging content to the minimum protected health information needed for the communication, consistent with the HIPAA Minimum Necessary Rule. Policies should also define when text messaging is prohibited, including situations where identity cannot be verified, recipients cannot be confirmed, or clinical or billing communications require documentation in designated record systems.

Workforce members should report misdirected messages, suspected unauthorized access, and lost or compromised devices through the designated reporting channel. Incident response procedures should address containment, recipient notification steps where applicable, documentation, and evaluation under the HIPAA Breach Notification Rule when an impermissible disclosure of unsecured protected health information may have occurred.

Daniel Lopez

Daniel Lopez is the HIPAA expert behind HIPAA Coach. Daniel has over 10 years experience as a HIPAA trainer and has developed deep experience in teaching HIPAA to healthcare professionals. Daniel has contributed to numerous publications including expert articles on The HIPAA Guide. Daniel is currently a staff writer on HIPAA at the Healthcare IT Journal. Daniel was a subject matter expert for ComplianceJunction's online HIPAA training. Daniel's academic background in Health Information Management is the foundation of his HIPAA expertise. Daniel's primary professional interest is protecting patient privacy, which he believes is the core of the HIPAA regulations and the best route to HIPAA compliance. You can reach Daniel on the contact page of HIPAA Coach and follow him on Twitter https://twitter.com/DanielLHIPAA