fbpx

5 HIPAA Risks of Text Messaging With Patients

HIPAA violation when unauthorized person reads a text message containing patient information

Choose HIPAA Compliance Over Convenience:

In any fast-paced healthcare practice, it can be tempting to “just get the job done”. However, the requirements to protect healthcare data mandated by HIPAA take precedence over convenience. 

The communication habits we have in our daily personal lives are built around easy information sharing. Text messaging, or SMS, has become a standard way people connect, but using this method to send and receive patient-related data creates serious risks for your clinic and your patients.

Often, it’s not enough to explain to patients and your team that a convenient or familiar communication system can’t be used. Without understanding the reasons a service is not allowed, people might justify skirting the rules for the sake of just getting the job done. HIPAA rules don’t provide room for selective compliance, and one single lapse can cause a HIPAA violation.

To help you reinforce the importance of not using SMS for communication in healthcare, here are the key HIPAA compliance risks of using SMS communication with patients:

1. Lack of Encryption

The HIPAA Security Rule requires that electronic protected Health Information (ePHI) be encrypted in transit. While encryption at rest (when it is stored at the recipient and/or sender side) is not strictly required, you must justify to HHS/OCR regulators why ePHI you send is not encrypted at rest.  

  • Risk: Standard SMS is not encrypted, so messages can be intercepted during transmission. The data may also be stored on unencrypted service provider servers for an undisclosed period of time. 
  • Impact: Unauthorized access to protected health information (PHI), resulting in a reportable breach.

2. Unauthorized Access on Patient Devices

HIPAA sets rules for role-based access to PHI. That means, only people with the proper authorization can access or use PHI. 

  • Risk: Text messages can be viewed by anyone with access to the patient’s phone (e.g., family, coworkers). Text messages stored on service provider servers may be accessed by that company’s employees or unauthorized individuals who gain access to those servers. Given that data contained within text messages is not treated as health information by SMS service providers, you can’t expect data sent via text to be protected according to HIPAA compliance rules.

  • Impact: Potential privacy violations if sensitive information is exposed.

3. Sending to the Wrong Recipient

In a world where people change phone numbers, verifying the number of your intended recipient is critical, just like how you need to verify a fax number every time before you send. Also, too often numbers are entered incorrectly, which can lead to data being sent to the wrong person.

  • Risk: Mistyped phone numbers or outdated contact information can lead to PHI being sent to unintended individuals.

  • Impact: Breach of confidentiality and legal liability.

4. No Audit Trail

To be HIPAA-compliant, you must be able to identify each individual who accesses the PHI in your care. Since most texting services and applications don’t require user authentication/login, it is very difficult to know who saw which information. 

  • Risk: SMS platforms often lack proper logging or audit capabilities.

  • Impact: Difficulty proving compliance or investigating incidents.

5. Inability to Control or Recall Messages

If mistakes happen, you need to be able to address them and ‘fix’ any unauthorized access to PHI. Ideally, misdelivered data needs to be reclaimed. Text messaging does not allow you to remove messages from a wrong recipient’s device or service provider servers.

  • Risk: Once a text is sent, it cannot be retracted or secured.

  • Impact: Permanent exposure if sent in error or forwarded.

Is Text Messaging HIPAA-Compliant?

No. While texting with patients seems convenient, there is no way to meet HIPAA-compliance requirements when using SMS. Text was never made to keep data secure; it’s built for convenience. The risk of texting patient information is that you may expose protected health information and trigger the arduous process of managing a HIPAA violation and answering tough questions during an OCR investigation.

Recommendation for HIPAA-Compliant Patient Communication:

Brightsquid Secure-Mail can deliver ePHI to any recipient in full compliance with HIPAA rules. Data sent via Secure-Mail is always encrypted in transit and at rest. You can send any attachments necessary, and immediately recall information mistakenly sent to the wrong person. Try it free for one month.

Are Your Patient Communications HIPAA-Compliant?

Download our HIPAA Compliant Communications Checklist to see if your communications are creating risk of HIPAA violations in your clinic.

Get Your HIPAA Compliant Communication Checklist

Jeff MacKay, Director of Marketing at Brightsquid, is an optimizer with 20+ years of doing, learning, and leading in communications and advanced business technology implementation. For nearly a decade, he has focused on operational efficiency in healthcare, helping thousands of organizations implement more effective processes while also supporting enhanced privacy compliance. A true collaborator, Jeff pushes teams to challenge the status quo, rolling up his sleeves to help implement the resulting innovations. Jeff is a regular conference speaker, student of practical privacy compliance, cybersecurity trends, and technology in healthcare.

Leave a Reply

Your email address will not be published. Required fields are marked *

LOGIN