HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

HIPAA Regulations for SMS

Most SMS Messages are Not HIPAA Compliant

The HIPAA regulations for SMS do not specifically prohibit the use of a “Short Message Service” to communicate Protected Health Information (PHI), but they do stipulate that certain conditions have to be in place before using SMS to communicate PHI is HIPAA compliant.

Most SMS messages are not HIPAA compliant. This is because they are not encrypted, cannot be recalled if sent to the wrong recipient, and can be intercepted on public Wi-Fi networks. Although mechanisms exist to resolve these issues with SMS messages, they are rarely used.

Further issues exist due to SMS messages being unaccountable and because copies remain on the servers of service providers indefinitely. The only resolution to these issues is to exclude any PHI from messages sent in SMS format. Importantly, the HIPAA regulations for SMS also apply to Instant Messaging services such as WhatsApp and iMessage, and to emails as well.

What HIPAA Says about SMS, IM and Email

The majority of the HIPAA regulations for SMS, IM and email are contained within the technical safeguards of the HIPAA Security Rule. These safeguards require the introduction of access controls, audit controls, integrity controls, ID authentication, and transmission security to prevent unauthorized access to PHI. Among the required security measures:

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

  • Every authorized user must be assigned a unique login username and PIN number for whatever mechanism is being used to send and receive PHI. This is so all communications containing PHI can being monitored and logged.
  • Any mechanism used to communicate PHI must have an automatic logoff facility. This measure is required to prevent unauthorized access to PHI if a desktop computer or mobile device is left unattended.
  • PHI must be encrypted in transit so that, in the event a message is intercepted on a public Wi-Fi network, the content of any message – and any PHI sent as an attachment – is “unreadable, undecipherable and unusable”.

These three security measures by themselves make it difficult for HIPAA covered entities to comply with the HIPAA regulations for SMS, IM and email. It is not difficult to implement a channel of communication that requires users to log in, but to monitor all their online activity and have them log off when they are finished is much more complicated.

The issue of encryption is also tricky. Any encryption solution used to securely communicate PHI between healthcare organizations, medical professionals, Business Associates and other covered entities would have to work across multiple operating systems and devices – and have a standard decryption key. It was for this reason that an exemption was made for the electronic communication of PHI between medical professionals and their patients.

Overcoming the HIPAA Regulations for SMS, IM and Email

The HIPAA regulations for SMS, IM and email are extremely complex, and may apply to covered entities differently depending on their size, the nature of service they provide and the volume of PHI they communicate. However, there is a solution that overcomes the HIPAA regulations for SMS, IM and email regardless of an organization´s operating structure – secure messaging.

Secure messaging works in much the same way as SMS or IM. Secure messaging apps can be used to send and receive encrypted text messages, share images and conduct group discussions. The apps work across all operating systems and devices, but only once a user has authenticated their ID with a centrally-issued username and PIN number.

Safeguards are in place not only to prevent unauthorized access to PHI when a desktop computer or mobile device is left unattended, but also to prevent the copying and pasting of PHI, the saving of PHI to an external hard drive, or the sending of PHI to a third party outside the organization´s network of authorized users.

All activity on the network is monitored and further security measures in addition to automatic logoff exist to protect the integrity of PHI. For example, if an authorized user´s mobile device is lost or stolen, controls on the secure messaging platform enable administrators to remotely delete any communication containing PHI and lock the secure messaging app.

The Benefits of Secure Messaging

By complying with the HIPAA regulations for SMS, IM and email by implementing a secure messaging solution there are significant benefits – especially for healthcare organizations. Being able to send and receive PHI “on the go” reduces the amount of time on-call doctors and community nurses play phone tag. Group messaging features accelerate the communications cycle and can reduce the length of time it takes to process hospital admissions and patient discharges.

When integrated with an EMR, a secure messaging solution can be used to share the task of updating patient´s notes – providing physicians with more time to attend to their patients. According to a study conducted by the Tepper School of Business at the Carnegie Mellon University in 2015, the integration of a secure messaging solution reduces patient safety incidents by 27% and medication errors by 30%.