Texting is not a HIPAA violation by itself, but a text message that creates, uses, or discloses protected health information violates the HIPAA Privacy Rule and the HIPAA Security Rule when the disclosure is not permitted or the organization does not apply administrative, physical, and technical safeguards that reduce unauthorized access and transmission risk to an appropriate level.
The HIPAA Privacy Rule permits covered entities to communicate with patients electronically about health matters and requires safeguards to limit incidental disclosures, such as verifying the destination number and limiting message content to the HIPAA Minimum Necessary Rule standard when the disclosure is not for treatment. Text messages sent for treatment, payment, and health care operations still require controls that prevent access by unintended recipients, including when the phone is shared, lost, or visible on a lock screen.
The HIPAA Security Rule applies when the text contains electronic protected health information and is created, received, maintained, or transmitted by a covered entity or business associate. Standard SMS and many consumer messaging apps do not provide covered entities with consistent control over encryption, access, retention, audit logging, and remote deletion. Use of a secure messaging platform with access controls, authentication, transmission security, device management controls, and vendor contractual terms that meet business associate requirements supports compliance when texting is part of workforce workflows.
Patient-directed communications affect the analysis. When an individual asks to receive protected health information by text and declines more secure alternatives, a covered entity may send the information using the requested method after advising the individual of the associated security risks and applying safeguards within the organization’s control. Patient preference does not remove the need to limit content, verify contact information, document the request when required by policy, and prevent workforce use of uncontrolled texting for routine clinical communications.
Texting becomes a reportable event under the HIPAA Breach Notification Rule when an impermissible use or disclosure of unsecured protected health information occurs and the incident is not shown, through the required risk assessment, to present a low probability that the information has been compromised. Misaddressed texts, screenshots shared outside permitted channels, and messages stored on unmanaged personal devices are recurring causes of unauthorized disclosures.