Is SMSGlobal HIPAA compliant? (Update 2024)

SMSGlobal is a platform that enables companies to deliver mass text messages to customers. Many healthcare organizations use texting platforms to connect and communicate with employees, patients, and other healthcare providers. To do so, however, those within the healthcare industry need to work with platforms that are HIPAA compliant.

In the healthcare industry, sensitive protected health information (PHI) must be safeguarded under HIPAA. A major part of this compliance is working with vendors who will sign a business associate agreement (BAA) and ensure the security of PHI. SMSGlobal still does not mention a BAA on its website and may not be HIPAA compliant.

What is SMSGlobal?

SMSGlobal, an Australian-based organization, is used to create, send, and analyze mass texting campaigns. Short message service (SMS) or text marketing is integral to communication. The key features of SMSGlobal’s platform include bulk SMS, two-factor authentication, a dedicated number, multiple plugins, and the WhatsApp API.

In the healthcare sector, text messaging can serve various purposes, like communication with patients, sharing patient information among healthcare providers, or assisting in discussing treatment plans. The SMSGlobal platform includes a control center for SMS marketing where users can create, send, respond, promote, and report on messaging campaigns.

LEARN ABOUT: How HIPAA compliant texting improves patient outcomes

Is SMSGlobal considered a business associate?

HIPAA applies to covered entities, which include healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates (i.e., vendors) of these covered entities. These are entities that perform certain functions or activities on behalf of the covered entity.

A BAA is a written contract between a covered entity and a business associate. It outlines the responsibilities and obligations of each party regarding the handling of PHI. Typical provisions within a BAA include:

• Permitted uses and disclosures of PHI
• Safeguards for protecting PHI
• Reporting and mitigation of security incidents
• Compliance with HIPAA regulations
• Dispute resolution and termination clauses

The agreement is required by law for HIPAA compliance and is considered the primary item to consider when it comes to SMSGlobal and its ability to be HIPAA compliant. SMSGlobal is a business associate of a healthcare organization if it transmits any PHI, like a name or email address, through a text message.

SMSGlobal and the BAA

Generally, the HIPAA Privacy Rule allows healthcare providers to disclose PHI if they receive assurance that the information is protected through a signed BAA. In a 2020 blog, we stated that SMSGlobal would not sign a BAA. At that time, we contacted SMSGlobal, and two representatives told us that opening to HIPAA compliant services could lead to major fines. Therefore, they would not sign a BAA.

There is still no mention of a BAA or HIPAA on the company’s website.

RELATED: How to know if you're a business associate

SMSGlobal, text messaging, and data security

Text messaging can be a great way to communicate individually and collectively. In 2023, we created a HIPAA compliant guide to text messaging to update our ultimate guide from 2021. While HIPAA doesn't explicitly mention texting technology, it does impose rules for protecting sensitive patient data. Many texting tools are available, but not all meet HIPAA requirements of encryption, data backup, and access controls.

According to SMSGlobal’s privacy policy, it takes active steps to protect personally identifiable information (PII) against “loss, unauthorised access, use, modification or disclosure, and against any other misuse.” All data is processed and stored on their servers with security standards that meet Australian requirements.

There is no mention of what happens to end user data but considering it can be analyzed by customers, there must be a way to store and access it.

TAKE A LOOK: How to collect patient feedback via text message

Is SMSGlobal HIPAA compliant?

The BAA is a necessary component of HIPAA compliance and SMSGlobal still does not offer a BAA to its customers or mention the agreement on its website.

Conclusion: SMSGlobal may not be HIPAA compliant.

Understanding HIPAA compliance

Healthcare providers know that clear and efficient communication with patients is necessary to run a successful practice. When evaluating a platform’s HIPAA compliance, especially on the cloud, consider the following security needs beyond a BAA:

• Technical safeguards: Mitigate risks associated with cyber threats, hacking, malware, and other security incidents with strong technical safeguards. Such tools as perimeter defenses (e.g., firewalls) and HIPAA compliant email are equally vital for extra protection.
• Employee training: Ensure all staff members have up-to-date knowledge of HIPAA regulations and best practices. Regular training sessions can help prevent unintentional, employee-related breaches.
• Regular audits: Perform periodic assessments of all systems and processes to ensure that they remain compliant. Adapt to any changes in regulations or technology.
• Data access controls: Implement stringent controls, such as multifactor authentication, on who can access PHI and under what circumstances.