Better clinical communications

Is texting HIPAA compliant?

Is texting HIPAA compliant? Let’s get this out of the way. Text messaging (SMS) is not HIPAA compliant. Not even a little bit.

Text messaging is not HIPAA compliant because it lacks encryption, meaning messages are vulnerable to interception during transit. What’s more, because in the vast majority of cases text messages are stored on a device’s internal storage, it makes them easy to access if a device winds up lost or stolen.

There is a misunderstanding surrounding text messaging and HIPAA compliance which stems from the complex language used within the Privacy and Security Rules. While neither of these rules specifically mention text messaging per se, they do outline certain conditions pertaining to electronic communication within healthcare, stating that a system of administrative, physical, and technical safeguards must be in place to ensure the confidentiality and integrity of protected health information (PHI) when it is in transit and at rest.

Given the fact text messaging cannot provide such safeguards, it makes text messaging an incredibly risky means of communication, particularly when exchanging PHI.

Text messaging in healthcare: understanding the risks

In recent years, a rising number of healthcare organizations have implemented BYOD (bring your own device) policies due to the speed, convenience, and cost saving benefits of mobile technology. As a result, more and more medical professionals have come to rely on their personal mobile devices to streamline their workflows.

With this influx of personal mobile devices infiltrating clinical communications, there is a considerable risk of sensitive data falling into the wrong hands. Any organization which permits even a single breach of texting PHI could face fines of up to $50,000 per vulnerability, per day that the breach goes uncorrected. To make this matter worse, that same organization could face significant fines from the affected patient, a cost which could be devastating a small or medium sized practice.

Besides text messaging, apps offering instant messaging such as Facebook Messenger, WhatsApp, and Skype are becoming increasingly popular. But these are still not risk free options for healthcare professionals.

Take WhatsApp, for example. While messages sent within the app are securely encrypted from sender to receiver – satisfying part of HIPAA’s encryption requirements – the fact that WhatsApp does not offer any secure storage, nor secure access controls to use the app, makes it a risky option when exchanging ePHI. If a device is misplaced, any unauthorized individual would be able to access the messages within the app, including any ePHI held within the WhatsApp account. Additionally, the app lacks an audit trail, making it impossible to know if and when a sent message has been received or read by the intended recipient(s).

To avoid fines and other ramifications, text messaging and other instant messaging apps should be addressed under the HIPAA security rule as part of an organization’s risk analysis and management strategy.

In a bid to overcome these challenges, healthcare organizations should consider implementing a HIPAA-secure mobile messaging system, such as DocbookMD. Designed for healthcare from the ground up, DocbookMD provides all of the necessary safeguards to ensure the integrity of PHI throughout its entire lifecycle, while offering users the ease and familiarity of a mobile messaging app. For more information visit .