Home Sms code HIPAA and texting: everything you need to know

HIPAA and texting: everything you need to know


SMS, which stands for short message service, was first developed in 1984, with the first text message being sent a few years later in 1992 as a continuation of radio memo pagers. The short part of the name comes from the 160-character limit on messages. This easy and simple way to communicate has grown and in 2010 it was the most used data application on phones. This method of communication has persisted, with the number of text messages sent daily running into the trillions.

HIPAA is the Health Insurance Portability and Accountability Act of 1996. While portability was about individuals being able to take health insurance benefits with them when they changed jobs, HIPAA’s legacy has more to do with federal law imposing standards on preserving patient privacy. . Specifically, it established national standards for the protection of sensitive patient information, to prevent disclosure of such information without patient consent.

This sensitive health information is called protected health information, or PHI. This PHI includes a number of elements that could potentially identify a patient. The list is quite comprehensive and includes:

  • The patient’s name
  • Address (includes all geographic subdivisions smaller than state, and includes street address, city, county, and zip code)
  • All date elements related to an individual, except years (including date of birth, date of admission, date of discharge, date of death, and numerical age if over 89)
  • Phone numbers
  • Fax number
  • Email addresses
  • Social Security number
  • Health plan beneficiary number
  • Account number
  • medical file number
  • Certificate or license number
  • Vehicle identifiers and serial numbers, including license plate numbers and VIN
  • Device identifiers and serial numbers
  • Web URL
  • Internet Protocol (IP) address
  • Fingerprints or voice prints
  • Photographic image (Not limited to facial images)
  • Any other characteristic that could uniquely identify the individual

Whenever a communication is made that includes any of the above information, it is in the “Identified” category. If all of the above HIPAA identifiers are removed, then they are categorized as “Unidentified”. This results in research projects as the data needs to be analyzed only in aggregate form, without the identifiers to avoid a HIPAA violation. This HIPAA privacy rule applies even after the death of an individual, for 50 years after date of death.

However, even if the patient’s privacy is paramount, it appears in the normal course of business in the field of health that PHI must be communicated. This happens with every visit to a health care provider’s office, when the visit is sent to the insurance company for payment, for example. In addition, healthcare providers frequently have situations where they need to communicate with a patient and their family while they are under their care.

Challenges arise as healthcare providers must determine which communication methods are HIPAA compliant and which are not. Although some methods of communicating with patients are not approved, there are fortunately some options.

The first approved method is direct in-person communication between provider and patient. With this direct method, since the transfer of information is face-to-face, it is fully HIPAA compliant.

However, there are many occasions where a patient is not directly in front of the provider and information needs to be sent. Phone calls are HIPAA compliant and a common method used in healthcare. When a patient provides a phone number, it is considered authorization to receive a phone call. Another approved method is USPS mail, and certified if necessary. Sometimes called “postal mail”, it gets the job done, but isn’t fast and isn’t ideal for real-time conversation.

Sending a fax is another HIPAA-compliant method (although it gets confusing when a online fax service (opens in a new tab) is used rather than a physical fax machine), and this is commonly used to send information between doctor’s offices, and one reason why faxing has persisted in healthcare, when many other industries have discarded their Fax machines (opens in a new tab) years ago.

While direct person-to-person, phone, fax, and USPS mail are all HIPAA-compliant, more modern electronic means of communication are where things get complicated quickly. This includes SMS, instant messaging, as well as emails (opens in a new tab). In general, approved methods are also not approved, because the PHI is not secure. This is because neither is encrypted in general use.

Also, the problem is that they can both be transmitted over public Wi-Fi, which is not considered secure. Also, there is no mechanism to recall the message if it is delivered to the wrong recipient. Finally, there is further concern that these messages may remain on the servers through which they are transmitted for an indefinite period of time.

That being said, although SMS is not used, email is sometimes necessary, if only for hospitals and health care providers to communicate with insurance companies. As part of the technical security rule, there are standards for electronic communications. These include that the communication is encrypted in transit so that if intercepted, it cannot be read.

There must also be a access control (opens in a new tab), so that there is a unique username and login PIN so that the communication can be recorded and monitored. There must also be an automatic logout to prevent unauthorized access to PHI.

Although technically not impossible, these types of requirements are quite difficult to meet with SMS, which is why it is not used. Many healthcare organizations have shifted to dedicated HIPAA-compliant communication via secure messaging apps (opens in a new tab). These are designed from the ground up to meet the high standards of HIPAA and allow encrypted communication, while functioning like any other dedicated instant messaging application. An example of this type of product is TigerConnect.

In conclusion, due to dedicated login with auto-logout and encryption requirements, SMS communication is not used in healthcare to remain HIPAA compliant.

We’ve featured the best VoIP providers.