Skip to the main content.
Talk to sales Start for free
Talk to sales Start for free

2 min read

HIPAA compliant text messaging

HIPAA compliant text messaging

The Health Insurance Portability and Accountability Act (HIPAA) sets regulations and standards to protect the privacy and security of patients' protected health information (PHI). Any communication involving PHI, including text messages, must adhere to HIPAA guidelines to prevent identity theft and data breaches. 


How does HIPAA apply to texting?

HIPAA regulations provide guidelines for the transmission of PHI, including text messaging. The HIPAA security rule defines a breach as the unauthorized acquisition, access, use, or disclosure of PHI. To ensure compliance, healthcare organizations must enforce HIPAA regulations for creating technical safeguards, which include text messaging.

The challenge is that standard text messaging is typically not HIPAA compliant. While HIPAA does not explicitly prohibit texting PHI, it requires certain security measures to protect PHI during transmission and at rest. Additionally, controls must be in place to restrict access to PHI and ensure proper handling by authorized staff.

Read more: The guide to HIPAA compliant text messaging 

Limitations of standard text messaging

Standard text messaging poses several challenges when it comes to HIPAA compliance. Firstly, text messages are not encrypted, making them vulnerable to unauthorized access. Unlike encrypted messaging services, standard texts lack the necessary security measures to protect PHI from hackers or unauthorized individuals.

Another limitation is the lack of access controls and data audits for regular text messaging services. Without the ability to control who reads an SMS or conduct data audits, healthcare organizations cannot ensure the privacy and security of PHI sent via text messages.

Go deeper: 


Ensuring HIPAA compliance for text messaging

While standard text messaging is not HIPAA compliant, there are workarounds and solutions to achieve HIPAA compliant text messaging. However, these alternatives are rarely applied, and it is generally safer for healthcare organizations to avoid texting PHI altogether to prevent potential HIPAA violations and fines.

To ensure HIPAA compliance in text messaging, it's important to understand what information is considered PHI. Not all data transmitted via text messages is considered PHI. Healthcare organizations can transmit specific information via text messages as long as they have authorization from the patient and provide a warning about the possibility of unauthorized disclosure. Documentation of both the authorization and warning is required.

Read alsoWhat is a HIPAA authorization form? 


Solutions for HIPAA compliant text messaging

To achieve HIPAA compliant text messaging, healthcare organizations can explore solutions that meet the necessary security and privacy requirements. One such solution is using messaging apps specifically designed to be HIPAA compliant. These apps provide the necessary controls and encryption to support secure text messaging.

However, even when using HIPAA compliant messaging apps, healthcare organizations must still adhere to the physical, technical, and administrative safeguards outlined in the HIPAA security rule. These safeguards include implementing encryption, access controls, and the minimum necessary standard to ensure the privacy and security of PHI.

See also: HIPAA Compliant Email: The Definitive Guide



Can text messages be HIPAA compliant?

For any messaging provider to be HIPAA compliant, the text messages that are related to PHI need to be encrypted while sending, receiving, and when in transit.


Can WhatsApp be HIPAA compliant?

Messaging services that have a key to decrypt messages would need to sign a BAA as they have the means to access data. However, WhatsApp does not divulge if they have the means to decrypt messages. WhatsApp is not HIPAA compliant and cannot be used to transmit PHI.


What makes a phone HIPAA compliant?

Put simply, a phone system that's “HIPAA compliant” meets all the requirements that HIPAA lays out for safeguarding patient data, specifically, the aptly named privacy and security rules, which together lay out the standards for protecting ePHI.




Subscribe to Paubox Weekly

Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.