HIPAA-Compliant Text Messaging

Mobile electronic appliances are increasingly important in the healthcare system, often used to quickly access patient’s electronic PHI (ePHI) or to send it between healthcare workers. However, mobile phones are also being used to text patient information, or even to communicate with the patient themselves. These messages must still be HIPAA-compliant, and how that can be achieved is detailed below.

How can texts be HIPAA-compliant?

Simply put, for text messages to be HIPAA-compliant they must meet all the necessary safeguards detailed under the Security Rule. This usually involves implementing a “secure texting” system. Here, messages are encrypted and transmitted to a server that stores all data locally and securely. This system also prevents the phone network carrier from keeping a copy of any message.

The secured messages can then be accessed from any location so long as there is internet access. However, if a certain amount of time has passed, the message’s expiry date may have passed and the message may not be able to be recalled.

The phone using this network can still access all the usual functions, from social media to email – it is just the text-messages that are encrypted and thus HIPAA-compliant. Additionally, the device administrator will have the option of removing the user from the network or selectively deleting sensitive data. This will ensure that, after the user has stopped working for the organisation, they will not be able to access private information.

There are other steps that can be taken to ensure HIPAA compliance within these networks. Asking employees to text confirmation of the receipt of ePHI can help ensure that it wasn’t lost, whilst reviewing texts to ensure accuracy and coherence is also important. Even if they are being held on a secure server, deleting text messages that contain ePHI once they are no longer readily needed can also help prevent breaches. Additionally, where possible, the minimum amount of information possible should be sent in each text.

Secure Messaging Solutions

As detailed above, secure messaging solutions are invaluable when ensuring text messages are HIPAA-compliant. There are a few other key aspects, aside from encryption, that can help ensure HIPAA compliance. The applications usually have an automatic log-off feature such that after a period of inactivity the user is force logged-off. Then, to login again, they often employ two-factor authentication or similar methods. All login attempts are monitored to check if there are any “brute force” login attempts, where hackers simply try to guess passwords.


Text messaging is one of the most popular means of communication today. Millions of texts are sent every month, and it is to be expected that healthcare professionals will also use this technology to communicate ePHI. However the highly sensitive information communicated in these messages means that they require extra protection. For text messages to be HIPAA-compliant, a secure messaging system that encrypts all data should be used. This will help protect the messages from unauthorized access and also prevent the messages being stored long-term, even on protected servers.