Ensuring HIPAA Compliance in Text Messaging

Marcy A. Metzgar

Many healthcare providers find that text messaging provides quick access to the information they need to make decisions and is convenient for communicating with other providers and patients. Yet, texting presents privacy and security concerns.

Typical short message service (SMS) texting does not offer the security necessary for sending protected health information (PHI). As a result, patient privacy might be compromised if unauthorized individuals can view texted data, devices are lost or stolen, or messages remain on servers in unencrypted formats.¹

In some limited situations, SMS texting may comply with HIPAA. For example, the HIPAA Journal explains that healthcare providers may send text messages to patients only if the content of the messages does not include personal identifiers and the messages comply with the minimum necessary standard. Healthcare providers also must warn patients about the risks of communicating personal information over an unencrypted channel.²

To ensure HIPAA compliance in texting, healthcare organizations should use secure messaging systems that comply with the technical safeguards of the HIPAA Security Rule (relevant to the electronic transfer of PHI), or the patient should give permission to text using an unsecure system.³ In the latter case, healthcare providers must provide the warning mentioned above.

Organizations also should incorporate information related to text messages into organizational health record documentation policies. HIPAA specifies that individuals have the right to view and amend PHI used to make clinical decisions about their care, which might include information sent via text messages.

In 2024, the Centers for Medicare & Medicaid Services (CMS) indicated that healthcare providers may now text patient information and patient orders in hospitals and critical access hospitals as long as a HIPAA-compliant secure texting platform is used and it complies with the Conditions of Participation at 42 CFR 482.24 and 41 CFR 485.638.⁴

To be in compliance, healthcare organizations and providers must do the following:

• Use and maintain secure and encrypted messaging systems/platforms that ensure the integrity of author identification and minimize the risks to patient privacy and confidentiality per HIPAA regulations.
• Be certain that texted patient information or patient orders are dated, timed, authenticated, and promptly placed into the electronic health record (EHR).
• Ensure that patient information or patient orders transmitted into the EHR are accurate, complete, filed and retained in the proper place, and accessible.
• Develop and execute policies and procedures that require checking the security and integrity of the text messaging systems/platforms on a set basis.⁵

Learn More

• Applied Clinical Informatics: Evaluation of Secure Messaging Applications for a Health Care System: A Case Study
• HIPAA Journal: Is Texting in Violation of HIPAA?
• HIPAA Journal: Is Text Messaging HIPAA Complaint?
• HIPAA Journal: Texting in Healthcare
• The Joint Commission: Use of Secure Text Messaging for Patient Information and Orders

Endnotes

¹ Adler, S. (2023, December 13). Is text messaging HIPAA compliant? HIPAA Journal. Retrieved from www.hipaajournal.com/is-text-messaging-hipaa-compliant/

² Adler, S. (2024, February 24). Is texting in violation of HIPAA? HIPAA Journal. Retrieved from www.hipaajournal.com/texting-violation-hipaa/

³ Ibid.

⁴ The Joint Commission. (2024, October 16 [last updated]). FAQ: Can organizations use texting to communicate patient care information and orders? Retrieved from www.jointcommission.org/standards/standard-faqs/behavioral-health/information-management-im/000002483/

⁵ Centers for Medicare & Medicaid Services. (2024, February 8). Texting of patient information and orders for hospitals and CAHs [Memorandum]. Retrieved from www.cms.gov/medicare/health-safety-standards/quality-safety-oversight-general-information/policy-memos-states/texting-patient-information-and-orders-hospitals-and-cahs; The Joint Commission. (2024, June 5). Use of secure text messaging for patient information and orders. Retrieved from www.jointcommission.org/resources/news-and-multimedia/newsletters/newsletters/joint-commission-online/june-5-2024/use-of-secure-text-messaging-for-patient-information-and-orders/

 

---

Prevention & Education Center home