HIPAA Text Messaging Policy & Relevant Best Practices

HIPAA Text Messaging Policy & Relevant Best Practices

Share This Post

Table of Contents

Since more than two thirds of people use smartphones, it is becoming increasingly common for healthcare professionals to use it as a tool of communication for sending text messages. Healthcare professionals often communicate by text with other healthcare professionals and with their patients. And why not? It is a quick, convenient way to collaborate and communicate. However, it is imperative to be aware of the risks associated with texting in a healthcare environment, especially in consideration of the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act. These laws came about to regulate how patient data is handled. Healthcare providers have to develop proper policies and maintain safeguards to mitigate data breaches and adverse legal consequences.

Important Compliance Regulations

The HIPAA Security Rule requires healthcare providers and organizations to address text messages as part of their management strategy and detailed risk analysis. Based on the risk analysis, a healthcare organization must decide the appropriate physical, technical, and environmental controls to reduce any possible risks associated with sending Electronic Protected Health Information (ePHI) through text messaging.

To understand and select the technical security measures necessary to comply with this standard, organizations must review the current methods they use to transfer ePHI. An organization should identify the available and appropriate means to secure and protect ePHI as it is transmitted and select relevant solutions while documenting its decisions. HIPAA’s Security Rule says that “breach” is defined as the acquisition, use, access, or disclosure of PHI in a manner not permitted by the HIPAA Privacy Rule which compromises the privacy and security of such information.
Devices that are used for text messages such as tablets or smartphones can be stolen or lost. Therefore, the importance of ensuring HITECH compliance in the event of a breach is an area that should be reviewed in the context of text messages which may reside on the compromised device.

Possible Risks Associated With Text Messaging


Sending medical orders via text may violate HIPAA if the system is not able to restrict access and protect its integrity or prevent unauthorized access to Protected Health Information. The majority of the text messaging systems do not include measures like encrypting, receiver/sender authentication and they are stored in insecure servers. If a phone is lost or stolen and its password is decoded or the text is accidentally forwarded to a wrong contact, PHI will be exposed.

See also  The Most Solvable Communication Issues In Healthcare

Sender/Receiver Authentication

Text messages do not allow the recipient to verify the identity of the person that is sending the text which can lead to wrong or fraudulent orders. Also, if the sender mistypes the receiver’s phone number, then there is literally no way to verify the intended recipient or confirm if the text message was received by that person. If the cellular network is unavailable then the message may not even transmit. And cellular networks can be unreliable leading to delays or missing messages.


There is no system or mechanism to store the original message in order to validate what must be transcribed into the medical record. Text messaging is a conversation and it is difficult to transcribe.

Order Completeness and Clarity

If acronyms and abbreviations are used in text messages, they lead to miscommunication of order. Also, free texting can result in misspelling any drug’s or patient’s name which can lead to the wrong drug dispensed or wrong patient name entered. Cell phones have an autocorrect feature which can result in incorrect and confusing (if sometimes hilarious) entries. Since voice recognition technology can be used to create a text message, it can cause transcription errors.

No Clinical Decision Support

Medical orders which are sent through text message can bypass the clinical decision support and alerts given by computerized prescriber order entry (CPOE) systems. These can often take into consideration the patient’s current medical conditions, medications, age, allergies, weight, and other details. Many CPOE systems also offer prompts to prevent incomplete orders from being entered.

Transcription Errors: texted orders have to be transcribed manually by pharmacists or nurses into a patient’s electronic medical record which can increase the risk of errors. Also, any delay in order transcription can result in a delay in patient care.

See also  The Dramatic Impact of Increased Telemedicine in the Covid 19 Era: WHAT'S NEXT

Other Distractions

Cell phones constantly receive messages, notifications from different sources like social media, calls, texts, emails, and other alerts which can be distracting when trying to compose a medical order through text.

Hucu.ai eliminates all risks of HIPAA violations.

Best Practices to Consider When Using Text Messages for ePHI

A professional healthcare provider or an organization can consider the following best practices to have in place before allowing text messages to be received or sent.

Ensuring the Security of Mobile Devices

Security must be prioritized for every device in use to send or receive mobile text messages containing ePHI. The identity of all mobile devices that providers are using within the organization and how to keep a track is an important consideration. Healthcare organizations must have a policy that devices have to be securely encrypted by the facility before being used for text messaging. Mobile encryption software comes in handy to reduce the risks associated with sending text messages on mobile devices, especially when trying to prevent unauthorized access to patient’s health care or financial information.

Establishing Texting Policies

Apart from encryption protocols, it is also important to set guidelines for the type of healthcare information that can be shared through a secure text message, who can send and receive the text, and which mobile devices may be used.

Educating the Staff about Your Texting Policies

Because violations of secure text message policies or the inability to have safeguards in place can compromise the PHI security, it is important to train all healthcare staff members on texting policies and what types of content can be used to send via text messages.

Using a Third-Party HIPAA Compliant Secure Texting Solution

It is difficult to understand, remember, and implement all the security rules and regulations by HIPAA for an organization that is using cellphones for text messaging ePHI. However, there is an amazingly simple solution that acts as an umbrella from all the risks in just one platform. Hucu.ai is an application and a telehealth solution that was built keeping in mind all the risks and security measures for PHI. It is a free HIPAA compliant text messaging application that ensures secure, encrypted communication among healthcare staff members and patients for quicker, easier, and better healthcare service.

See also  Value-Based Care: Improving Results in a Decentralized Caregiver Environment 
Hucu has numerous safety features like biometric account verification to open the application which also closes down after a few minutes of inactivity. Since it has specific communication channels and threads, there is little chance of sending a wrong text message. It also allows the sharing of a patient’s health data through images that are stored in protected and secured servers. Hucu has made healthcare communication simple and very secure.

Communicate Policy to Patients

Whether or not patient communication is part of your texting policy, it is a good idea to inform patients about how their healthcare information will be used. The texting policy can be part of the HIPAA acknowledgment that patients have to sign as it gives them a chance to know that their healthcare provider takes their information security seriously.

Require Authentication and Authorization for Accessing Messages

The healthcare messages have to be secured with strong authentication requirements. Users should be enrolled in their organization’s secure text messaging service through a personal invitation process and their access to messages must be password-protected. These steps ensure that messages are read by the intended people and not by their friends or family. Hucu.ai is a platform that takes care of these requirements as it is password protected, stores all data securely and follows an invitation process.

Hucu.ai is free text messaging HIPAA compliant app

As smartphones continue to deeply embed in our daily lives, it is only a matter of time before more policies come about that regulate their usage in a healthcare environment. Hucu.ai was built thinking ahead of time to resolve the security issues with ePHI while making communication convenient and quick for healthcare staff and an organization.
Sources of Information: adelmanfirm, ncbi.nlm.nih.gov, hipaajournal

Subscribe To Our Newsletter

Get updates and learn from the best

Top Posts

Do you want to learn more about Hucu.ai?

drop us a line and keep in touch

HIPAA-Compliant Cloud Hosting