How to safely transmit PHI via text message

The transmission of PHI via text message does not need to be an inherently risky practice. By using HIPAA compliant messaging platforms, enforcing strong authentication measures, limiting PHI disclosures, and educating staff, healthcare organizations can ensure that PHI remains secure and compliant. The key is to understand the potential risks and adopt the right technology and protocols to safeguard patient privacy while enabling efficient communication.

Transmitting PHI via text

According to the HHS, “Texting patient information among members of the health care team is permissible if accomplished through a secure platform.” A secure platform must meet HIPAA’s privacy and security requirements.  

Best practices

• Use HIPAA compliant messaging platforms: Avoid standard SMS, as it is not secure and does not meet HIPAA requirements. Instead, opt for encrypted, HIPAA compliant text messaging services like Paubox Texting.
• Data encryption: Look for solutions that encrypt messages both when they are sent and when they are stored on the device.
• Authentication & access control: Require secure authentication (e.g., multi-factor authentication) for users to access the messaging service. Restrict access to PHI to only authorized individuals, and ensure that messages are only sent to recipients who are permitted to receive PHI.
• Message expiry and auto-delete features: Use messaging platforms that allow messages to automatically expire or be deleted after a certain period to reduce the risk of unauthorized access.
• Minimal disclosure: Limit PHI shared to the minimum necessary PHI that is required to achieve the intended purpose. Avoid sending sensitive details like Social Security numbers or financial information unless necessary. 
• Obtain consent: Obtain patient consent before sending PHI via text.
• Implement clear communication policies: Ensure that staff and patients understand when it is appropriate to send PHI via text and under what conditions.
• Audit and logging: Use a platform that provides audit trails and logging of all communications for accountability and compliance tracking. Regularly audit and review messaging logs to ensure compliance with HIPAA regulations.

Related: The guide to HIPAA compliant text messaging

FAQs

What are the risks of sending PHI via unsecured text messaging?

Sending PHI via unsecured SMS text messages exposes it to a variety of risks, including:

• Data interception: Without encryption, messages can be intercepted during transmission.
• Unauthorized access: If SMS messages are stored unencrypted on devices, it can be accessed by anyone with access to the phone.
• Compliance violations: Using unsecured text messaging for PHI is a violation of HIPAA, potentially resulting in fines, penalties, and reputational damage.

What happens if PHI is sent via an unsecured text message?

Sending PHI via unsecured text messaging can lead to data breaches, non-compliance with HIPAA, and possible financial penalties for the organization. A breach can result in reputational damage and loss of patient trust. Organizations should implement secure communication protocols to avoid these risks

What are the benefits of using secure text messaging for PHI?

Using secure text messaging platforms provides several benefits:

• Improved communication efficiency: Enables real-time communication between healthcare team members.
• Enhanced patient care: Facilitates quicker responses and decision-making in patient care.
• Compliance assurance: Helps healthcare organizations comply with HIPAA and avoid penalties.
• Patient trust: Ensures that patient data is protected, fostering trust in the healthcare system.