Sending short message service (SMS) messages, or text messages, is a convenient communication tool for covered entities. Employees can both communicate with each other and get in touch with their patients. Text messages can do many tasks like send appointment reminders and in general improve the patient experience. Text messages may contain electronic protected health information ( ePHI ), which means they are subject to HIPAA security rules. This means that a text messaging software company is considered a business associate . To stay compliant with the HIPAA Privacy Rule , a covered entity and a business associate must sign a business associate agreement ( BAA ) . This agreement ensures that a business associate will do its part to protect sensitive information. Some texting tools can be HIPAA compliant. Your healthcare organization needs to be aware of these options and do the research to choose a texting tool that complies with HIPAA. Otherwise, you risk receiving fines and other corrective action for HIPAA violations .
Best practices for texting tools
There are many factors to consider when choosing a texting tool. Here are a few best practices to think about when choosing a texting tool that meets HIPAA guidelines:
- Choose a provider will sign a BAA
- Text messages that contain ePHI need encryption both in transit and at rest
- Unauthorized employees shouldn't have access to text messages with ePHI
- Obtain and document authorization from the patient to use text messaging
- Make all devices secure, including BYOD
- Implement two-factor authentication
- Use a secure WiFi network
Let's review whether or not the popular texting tools below are capable of being HIPAA compliant.
AvochatoAvochato allows healthcare providers to communicate with their patients. It also allows internal teams to keep patient communication organized. However, the company isn't HIPAA compliant because it relies on other cloud platforms and telecommunication providers to operate. These cloud platforms and telecommunications providers aren't necessarily HIPAA compliant.
EZTextingEZTexting allows businesses to mass communicate with their clients. The SMS marketing software is not HIPAA compliant though. EZTexting won't sign a BAA, so a covered entity faces fines if it uses this software.
iMessageApple iMessage may be popular, but it's not HIPAA compliant . Many issues are preventing covered entities from using iMessage. Some of these problems include no BAA, and iCloud may not be properly encrypted to store messages.
SMS GlobalSMS Global is used to create, send, and analyze mass texting campaigns. While it has a robust SMS messaging system, it's not HIPAA compliant . The company won't sign a BAA because it doesn't follow HIPAA security guidelines.
TatangoTatango is popular software that can send mass text messages for marketing purposes. While convenient for some businesses, Tatango is not HIPAA compliant . The company isn't willing to sign a BAA, and it's not transparent about its data encryption policies.
ZipwhipZipwhip has software that allows businesses to communicate with clients from their desktop, web browser, or mobile device. Unfortunately, Zipwhip isn't HIPAA compliant . The company isn't transparent about if it is willing to participate in a BAA, and it may be lacking the appropriate HIPAA safety features.
MosioMosio offers many tools to help a healthcare provider operate, including sending appointment reminders via automated messages. Mosio can be HIPAA compliant , but it's on a case-by-case basis. Mosio reviews your request for a BAA and could potentially turn it down. If Mosio does accept, it could be a HIPAA compliant option for you.
QliqSOFTQliqSOFT is a smartphone app that offers secure messaging for healthcare providers. Even though QliqSOFT claims it doesn't have access to PHI because it doesn't store messages on its server, the company is still willing to sign a BAA. It also has key security features like end-to-end encryption and an encrypted archival unit. QliqSOFT can be HIPAA compliant.
Spok MobileSpok Mobile is a clinical communications platform that helps staff members communicate with each other. Staff can send text messages, images, and video data securely. Spok Mobile can be HIPAA compliant because it's willing to sign a BAA and encrypts sensitive data.
TigerConnectTigerConnect is an online communications company that is best known for its instant messaging app. A healthcare provider can easily use TigerConnect to communicate between hospital staff and patients. TigerConnect can be HIPAA compliant since it will sign a BAA, and it also has appropriate safeguards to protect PHI.
Twilio has many communication features that healthcare providers want, including texting, video calls, and voice calls.
Twilio can be HIPAA compliant , but you need to sign up for the enterprise edition. It's also important to note that only some features can be HIPAA compliant such as Programmable SMS, Programmable Video, Programmable Voice and SIP, and Runtime Tools.
Which texting tools are HIPAA compliant?
There are a lot of texting tools available, even if you need a HIPAA compliant partner. Some of the companies covered entities might consider include:
- Spok Mobile
All of these companies are willing to sign a BAA and ensure that they meet HIPAA security rules to protect PHI. You should do your own research to determine which texting tool will match the needs of your healthcare business best.