Get to Know Texting and HIPAA Correlations Before You Hit Send

Posted on 25 Apr, 2019 |comments_icon 0|By Bruce Pegg

Look around your practice or facility’s waiting room. Are there patients reading texts on their phones? If they are looking at messages they have received from your provider, your office may be in violation of Health Insurance Portability and Accountability Act (HIPAA) regulations.

If you think about it, the same HIPAA rules that govern other forms of communication also regulate text messaging. So, with some understanding about the difference between texting, emailing, and writing, and a little bit of foresight, you can tweak your compliance program to make text messaging secure and useful for your patients.

What’s So Different About Text Communication?

First, it’s important to know the unique challenges texting presents to HIPAA rules. To do that, you need to understand how text messaging differs from other forms of communication:

  • Text messages aren’t encrypted. Because different phones use different platforms, texts are unencrypted, meaning that they are not sent in a code that must be decrypted by the recipient before it can be read. This makes texts vulnerable to hacking and viewing by third parties. It also means that sent messages are not secure if a phone is lost, stolen, or not disposed of properly at the end of its useful life.
  • Text messages can easily be viewed by unintended recipients. If a provider’s text message pops up on a patient’s phone, and someone sees it when it comes in, or if the patient is in a public place and someone views a provider’s message over the patient’s shoulder, the message is not secure and the communication may possibly have breached HIPAA rules.
  • Text message recipients cannot be verified. If a provider sends a letter to the wrong patient address, the post office will return it to your office. If a provider sends an email to the patient email address, it will be bounced back to the provider’s inbox. But if a provider sends a text message to the wrong number, the wrong person will receive – and will most likely read – that message.

What Does This Have to Do with HIPAA Breaches?

Each of the differences outlined above represents a potential vulnerability or exposure of the patient’s electronic protected health information (ePHI), which includes, but is not limited to, a patient’s medical history, test results, insurance information, or information that can identify a patient.

Essentially, your practice needs to address any threats to revealing that information in a text to anyone other than the patient or a third party designated by that patient.

What Can Your Practice Do to Protect Patients’ ePHI?

Once you have identified potential areas in your practice’s text communication practices that could result in a HIPAA violation, you will need to decide whether your practice will permit any form of text communication with patients and, if texting will be allowed, what protocols stakeholders will need to observe. You will also need to educate any stakeholders about those policies.

If you do decide to allow texting to patients in your practice, a good place to go when you are ready to draft your policy is the American Medical Association (AMA)’s Guidelines for Patient-Physician Electronic Mail and Text Messaging.

But here are three simple policies your practice can implement right away to bring your practice closer to HIPAA compliance:

  1. Prohibit or strictly limit sharing of ePHI via text: This could mean not sending texts to patients at all or limiting texts to information that does not identify the patient or the patient’s specific conditions.
  2. Choose a more secure platform to communicate with patients: Some apps, like WhatsApp, Confide, and Signal, offer end-to-end encryption, meaning that messages are automatically encrypted before being sent, then automatically unencrypted on the receiving end. This makes make them far more secure than plain text messages, though you will need to thoroughly research each one for any security vulnerabilities before deciding on which one is best for your practice and your patients’ needs.
  3. Sanitize discarded phones: Before your practice disposes of any electronic device (this includes computers as well as phones), a trusted and knowledgeable IT specialist needs to erase all information – especially any information that could possibly compromise a patient’s ePHI – from that device.
Learn More

Stay on top of evolving regulations, new technologies, and security threats with current, to-the-point guidance in your monthly subscription to Health Information Compliance Alert. In every issue, our experts tackle challenging security scenarios across the spectrum of health IT to keep you in the know, help you train your staff, and equip you to implement protocols to preserve the integrity of your practice.

Master HIPAA compliance with the industry’s best-selling handbook — the HIPAA Handbook 2019.  Our nationally-recognized HIPAA compliance experts lay out best practices and walk you step-by-step through the dos and don’ts of compliance. We also address new target areas and introduce you to tools to nail down risk assessments, tighten up your EHR privacy and security, reassess your risk analysis plan, prep for audits, and more.


Bruce Pegg
Editor, Newsletters

An experienced teacher and published author, Bruce is TCI’s new voice of primary care, delivering advice and insights every month for coders in the fields of family, internal, and pediatric medicine through Primary Care Coding Alert and Pediatric Coding Alert. Additionally, he is the current editor of E/M Coding Alert. Bruce has a Bachelor of Arts degree from Loughborough University in England and a Master of Arts degree from The College at Brockport, State University of New York. He recently became a Certified Professional Coder (CPC®), credentialed through AAPC.

More from this author

View More

Leave a Reply

Newsletter Signup