California HIPAA training for small businesses
  • Is Texting Allowed by HIPAA?

    For healthcare providers, texting PHI offers many advantages. It's fast, direct, and simplifies the traditional pager and callback methods used by healthcare providers for years. Texting allows for shorter response times, quicker interventions, and can even lead to better patient outcomes.Read more

    By Roman Diaz 12/2/15
  • Obtaining Medical Records for Litigation

    If medical facts are important to your case, it is important to grab the right end of the stick. A person can access medical records or agree to disclose them. You should also consider differences between HIPAA and California law. by Karen Darnall (Feb '16)
  • BA Contracts Between Covered Entities
    Author Name (2) 12/12/12 Company Link
  • Ransomware & Protected Health Information

    Imagine this. You arrive at your healthcare practice ready to start the day. Before your first appointment, you turn on your computer expecting to answer a few emails. But instead of the icons that usually dot your desktop... by Roman Diaz (12/2/15)
  • Why an Audit Trail is Important

    According to Fundamentals of Law for Health Informatics and Information Management, an audit trail is basically a "...record that shows who has accessed a computer system, when it was accessed, and what operations were performed." by Roman Diaz (6/11/15)

Is Texting Allowed by HIPAA?

Guest author Roman Diaz, Touchstone Compliance April 2015

The answer to that question is more complicated than a simple yes or no. "It depends," says it best.

The reason lies in the law itself. The lawmakers who crafted the HIPAA legislation went to great lengths, it seems to me, to make the mandate non-prescriptive. HIPAA compliance doesn't expressly require the use or avoidance of any specific modes of communication. In fact, the law doesn't even mention texting PHI!

What HIPAA does say is that with any means of communication, appropriate safeguards must be in place to ensure the privacy and security of Protected Health Information (PHI). Whether or not texting is OK as a way to communicate PHI depends, then, on the adequacy of the safeguards used.

That's where this gets tricky.

The Joint Commission on Accreditation of Healthcare Organizations weighed in HIPAA's guidelines for secure communication of ePHI include:

  • Unique user IDs
  • A method to authenticate those user IDs
  • A secure way of transferring and storing the confidential messages


  • The Joint Commission took a look at the use of traditional SMS (short message service) and came to the conclusion that standard consumer-based systems fail to adhere to HIPAA's guidelines. So it advised physicians, practitioners and hospitals, "Don't do it. Avoid texting PHI."

    But that's not the end of the story.

    HIPAA requires "...appropriate sanctions against workforce members who fail to comply with the security policies and procedures

    Secure text-messaging solutions

    For healthcare providers, texting PHI offers many advantages. It's fast, direct, and simplifies the traditional pager and callback methods used by healthcare providers for years. Texting allows for shorter response times, quicker interventions, and can even lead to better patient outcomes.

    So the Commission went on to say that texting is OK if — and only if — the service uses:

  • Secure data centers
  • Encryption of data (both in transit and at rest)
  • Recipient authentication
  • Audit controls (the ability to archive messages and information, retrieve that information quickly, and monitor the system)

  • It's probably obvious, given parameters above, that the approved text messaging I'm talking about isn't between provider and patient, but rather between healthcare colleagues who are "on the same page" regarding the recognized safeguards.

    HIPAA requires "...appropriate sanctions against workforce members who fail to comply with the security policies and procedures

    There's an app for that

    Since regular consumer-based text-messaging services don't cut it in terms of HIPAA compliance and the Commission's guidelines, if you want to text in your capacity as a healthcare professional, I recommend looking into a specialized app for mobile devices — one that encrypts data on your phone, communicates it to the recipient, and decrypts it there. Also, make sure this app includes backup, emergency access, and has the ability to archive messages. And don't forget to get a signed Business Associate Agreement from the company that makes the app. (You'll need it because PHI will likely be passing through their computer networks.)

    As useful and convenient as texting PHI can be, it does present some challenges. If you do decide to use text-messaging as part of your work in healthcare, follow the Commission's guidelines to a "T," and you should be OK.

    Search Our Site

        © Darnall Law Office 2015