Texting (SMS) is a convenient way to communicate, but it is not inherently HIPAA compliant when handling Protected Health Information (PHI) in healthcare settings. This article explains why standard texting poses risks under the Health Insurance Portability and Accountability Act (HIPAA), outlines what is safe to text and what isn’t, and provides recommendations for secure communication alternatives.
Standard SMS texting does not meet HIPAA’s Privacy, Security, and Breach Notification Rules for protecting PHI. Here are the key reasons why:
- Standard SMS messages are not encrypted in transit. They travel over cellular networks and can be intercepted by third parties, violating HIPAA’s requirement to protect PHI during transmission.
- SMS messages are stored on the sender’s and recipient’s devices, often in unencrypted form. If a device is lost, stolen, or accessed by an unauthorized person, PHI can be exposed, leading to a HIPAA breach.
- SMS platforms lack robust access controls, such as role-based access or multi-factor authentication (MFA), making it difficult to ensure only authorized individuals can view PHI.
- Standard texting does not provide audit logs to track who accessed PHI, when, or how, which is a HIPAA requirement for monitoring and accountability.
- Texting increases the risk of sending PHI to the wrong recipient (e.g., due to a typo in the phone number), leading to unauthorized disclosure.
- Cellular carriers may store SMS messages on their servers, and these messages may not be encrypted or protected under a Business Associate Agreement (BAA), creating a compliance gap.
Texting can be used in healthcare settings, but you must avoid including PHI to stay compliant with HIPAA. Here’s a breakdown of what is safe and what isn’t:
- General Reminders Without PHI: You can send appointment reminders or general notifications that do not include PHI. For example: “You have an appointment tomorrow at 10 AM with Dr. Smith.”
- Links to Secure Portals: You can send a link to a secure portal (e.g., a Microsoft Teams channel or patient portal) where PHI can be accessed securely. For example: “View your lab results here: [secure link].”
- Non-Sensitive Communication: Text messages about general office updates, such as “Our office will be closed tomorrow,” are safe as they do not involve PHI.
- Any Message Containing PHI: PHI includes any individually identifiable health information, such as patient names, medical record numbers, diagnoses, treatment details, or test results. For example, texting “John Doe’s lab results show high cholesterol, schedule a follow-up” is not HIPAA compliant.
- Messages with Sensitive Details: Avoid texting details like medication lists, appointment reasons (e.g., “Your chemotherapy session is at 2 PM”), or billing information tied to a patient’s identity.
- Group Texts with PHI: Never include PHI in group texts, as all recipients can see the message, increasing the risk of unauthorized disclosure.
Since standard texting is not HIPAA compliant for PHI, consider these alternatives and best practices:
- Instead of SMS, use Microsoft Teams’ chat feature for internal communication of PHI. Teams chat is encrypted, access-controlled, and logged, making it more secure than SMS when configured for HIPAA compliance (see our KB article on securing Microsoft 365 for HIPAA compliance).
- Reserve SMS for non-sensitive notifications, such as appointment reminders without PHI, or to send links to secure portals where patients can access PHI.
- If texting PHI is necessary, use a dedicated HIPAA-compliant texting platform that offers encryption, access controls, audit logs, and a BAA. VentureTel can help explore options for secure texting solutions.
- Train your staff to avoid texting PHI and to double-check recipient phone numbers to prevent misdirection. Ensure they understand the risks of standard SMS and the importance of using secure alternatives.
- If texting non-sensitive information (e.g., appointment reminders), obtain patient consent for SMS communication and inform them that standard SMS is not secure for PHI.
Texting is not HIPAA compliant when it involves PHI due to the lack of encryption, access controls, and audit trails in standard SMS. To stay compliant, avoid texting PHI and use secure alternatives like Microsoft Teams chat for sensitive communication. By following the guidelines above, you can use texting safely for non-sensitive notifications while protecting patient data.