HIPAA Rules for Text Messaging


Aug 7, 2014 TigerText

By: Marc Ladin; TigerText Chief Marketing Officer

Texting within a Healthcare Organization

The HIPAA rules for text messaging protected health information (PHI) are quite clear about what conditions should be in place for texting within a healthcare organization in order to comply with the HIPAA Security Rule.

Organizations have to meet the physical, technical and administrative safeguards of the Security Rule. In addition, they must implement measures to protect the environment in which PHI is stored, introduce processes to control the transmission of PHI, and develop policies to guide staff on when and how PHI should be communicated over a mobile device.

These safeguards have been introduced to prevent the unsecured communication of PHI via SMS and pagers which, although convenient and quick, could result in PHI being compromised in the event that a communication is sent to the wrong recipient, or if an individual´s mobile device is lost or stolen.

How to Comply with the HIPAA Rules for Text Messaging

The simplest way of complying with the HIPAA rules for text messaging is to implement a secure messaging system from TigerText. TigerText enables secure texting within a healthcare organization by allowing authorized users to receive and send patient-related communications after validating their ID with a unique username and PIN code.

Messages are tightly encapsulated and configured to travel only within a defined network, while administrative controls are in place to monitor staff usage and identify any potential breaches of PHI. Delivery notifications advise the sender that their message has been sent to the correct recipient, and pre-determined “message lifespans” ensure that old communications are properly deleted after the recipient has read the message.

Should a potential breach of PHI be identified – or an authorized user lose their mobile device – administrators can retract and delete communications – or remotely wipe and remove a user´s mobile device from the system – in order to maintain integrity of the PHI and avoid a breach.

Policies for Texting within a Healthcare Organization

The HIPAA rules for text messaging PHI also have “Organizational Requirements” – rules which fall outside the physical, technical and administrative safeguards of the Security Rule. These rules for texting within a healthcare organization state that “a covered entity must adopt reasonable and appropriate policies and procedures to comply with the provisions of the Security Rule”.

The reason for polices having to be introduced is to guide employees – who have become accustomed to communicating PHI via the unsecure channels of SMS and pagers – on how and when to send text messages within a healthcare organization, so that healthcare organizations can properly manage usage and ensure that employees are taking necessary steps to keep communication HIPAA compliant.

Due to the complexity of the Security Rule, we have compiled a “Top 8 Secure Messaging Policy Best Practices” white paper, which you are invited to download and read. Learn how to guide staff on the usage of a secure messaging solution, how and when secure PHI should be transmitted, and how to integrate a secure messaging policy into existing organizational policies.

If, after reading our white paper, you have any further questions about the HIPAA rules for text messaging, or would like further information about TigerText´s secure messaging solution for texting with a healthcare organization in compliance with HIPAA, please do not hesitate to contact us.