Messaging often fails to meet HIPAA requirements | Behavioral Healthcare Executive Skip to content Skip to navigation

Messaging often fails to meet HIPAA requirements

July 6, 2017
by David Raths
| Reprints

Using a smartphone to send a quick text message or e-mail has become second nature to most of us. But some healthcare providers take advantage of that convenience to communicate with colleagues and patients, not realizing that they could be violating HIPAA regulations by sending protected health information (PHI).

Consultants and attorneys who work with providers on HIPAA compliance say texting PHI is a fairly common problem. SMS text services and Apple’s iMessage do not meet HIPAA requirements that insist providers maintain the confidentiality, integrity and availability of PHI. Among the troubles with text messaging are keeping information from being seen by an unauthorized recipient, keeping it secure, and making sure the information is available in the patient’s medical record.

Behavioral providers who would like to use text messaging must exercise caution, says Sharon Hicks, a senior associate with Open Minds, a market research firm focused on health and human services. “Being able to informally communicate with people who are in treatment situations has shown some efficacy in studies,” she says, “but the technical aspects of getting it done correctly are arduous and keep people from exploiting the technology as broadly as it could be used.”

For example, she says, some studies indicate that text messages offering encouraging statements are reinforcing and help people stick to a care regimen.

“The difficulty is that you have to be careful not to put any protected health information in those messages,” she says.

And it’s just the content of the messages alone that must be considered.

“If a message includes personally identifiable health information, the principal risk I have seen is an unintended recipient,” says Nathan Mortier, an attorney with the firm Mellette PC in Williamsburg, Va. “We have all texted the wrong person. Many providers don’t realize that if they are going to be texting health information to other providers, if they text the wrong person protected health information, it becomes a breach subject to pretty stringent reporting requirements.”

Also, there could be medical decision-making taking place in a written format that is not being saved in the patients’ records, and therefore not available to future providers caring for the patients or the patients themselves. 

“What we have seen is that texting often replaces phone calls,” Mortier says. “Phone calls are not recorded and added to the medical record, but texts create a written record, and written records need to be included in the patient’s medical record if they include PHI and are relevant to a patient’s care,” he says.

Secure messaging apps

For messaging between providers, there are a number of new apps available on the market, and many of them purport to be compliant with HIPAA requirements. These apps generally require that individuals log in with a specific user name and password beyond what is on the mobile device. This helps ensure that the person entering information or using the service is verified, Mortier says. They may also have features that help automate the routing of messages to electronic health record (EHR) systems. Some EHR vendors are starting to offer add-on integrated secure messaging services.

Likewise, some health texting apps also include a feature that will limit the universe of recipients of information.

“Instead of having access to their entire contact list on your phone, it might only allow texts to other providers involved in that patient’s care,” Mortier says.

Another important feature of these applications is that they don’t store any information on the device. If a physician logs in to an EHR or secure texting app on a phone and views information, as soon as they close the app, that information is gone.

Many providers do some type of secure messaging with patients through their EHR’s patient portal. But as Open Minds’ Sharon Hicks notes, if you are trying to interact with someone on a daily or weekly basis, it becomes a burden for them to log in to get a secure message.

“If I am willing to log into the patient portal, you know I am already engaged,” she says. “Secure messaging is a potential way to help engage people who are not easy to engage.”

Healthcare-focused messaging services will eventually become popular, Hicks predicts, because both consumers and providers want an informal and easy way to communicate. “We are in this world where texting is normal, and it is much easier. We haven’t created the work flows to take advantage of all the new technology,” she says, “but people want ease of use and self-service tools because that is what they are used to in all other aspects of their lives.”

Expanding the use of text messaging

One behavioral provider network that relies heavily on its technology platform is considering how text messaging can play a bigger role in patient communications. New York-based AbleTo operates a network of 300 licensed therapists and behavior coaches around the country, providing psychotherapy to patients via phone or secure video on a proprietary platform it has created.

“Currently we are using text messaging as appointment reminders and for rescheduling, but when we think about text messaging, it is really about extending the treatment experience,” says Aimee Peters, chief clinical officer. “We have a patient portal that has digital tools available to the patient. As an extension of that, we think about providing notifications and suggestions to practice at home the skills they learn in therapy sessions.”

Text-based support provides an opportunity to celebrate wins and success, Peters adds. Patients can let therapists know they made progress or had an important event or breakthrough, and providers can reinforce that through text messaging back to the patient.




If an organization completes the required HIPAA SRA, and many have not, the topic of texting theoretically has already been addressed within organizations. Having Mobile Device Management policies, consent for (unsecure) digital communication forms for the client to sign, and BYOD/Company Issued/Hybrid device policies should all be included in an orgs HIPAA P & P manual. Communicating with/to/about clients would then be addressed and staff would know what the parameters (and corrective actions) might be. Assuming an org has an effective Compliance Program, this is a great topic for the Training and Education component of a CP.