HIPAA Compliant Texting: Everything You Need To Know
By Stephen Trout, , HIPAA Blog, Resources, Security

Texting, or “fingered speech” as John McWhorter called it in his TED Talk, is a “linguistics miracle.” 

Answering early criticisms of the technology – that it would promote a widespread butchering of the English language – McWhorter clarified that texting is actually casual speech, typed out to mimic the way we talk.

The telescoping (or contraction) of words, along with the inclusion of symbols – in an almost instantaneous exchange of ideas – has exploded in popularity, especially among the young.

Further, texting has a strategic convenience. It’s especially valuable for those times when we can’t communicate face-to-face, or through a phone conversation. 

We may take all this for granted (insert your “thumbs up” emoji!) – yet as ubiquitous as texting has become, critical questions arise: 

Is text messaging an acceptable tool for an industry like healthcare? Do HIPAA compliance regulations support the texting of sensitive, electronically protected health information (ePHI)?

A Strategic Tool

Today, the writing appears to be on the wall (or your screen): not only do 83% of healthcare practitioners find texting acceptable, but it’s fast becoming the preferred means of communication between patients and providers. 

When a doctor can send an urgent message from almost anywhere, and delays in patient phone queues (which spiked as the pandemic unfolded) can be avoided, texting can help expedite treatments and speed healing. 

There’s a catch, however (you knew it was coming!): HIPAA compliance regulations do support the use of text messaging technologies in healthcare – as long as the right controls are implemented to protect ePHI.

Before we dive into HIPAA-compliant texting, let’s look closer at texting’s emergence as a healthcare tool. 

A Brief History YDK (or perhaps you do!)

Texting, originally known as the SMS protocol (which stands for short messaging service) was designed for sending brief messages over wireless networks. 

Initially, the limit for SMS characters was set at 160. For that seemingly arbitrary number, we have a German inventor named Friedhelm Hillebrand to thank. 

In the mid-1980s, Hillebrand was chairman of the Global System for Mobile Communications (GSM). Together with Frenchman Bernard Ghillebaert, they invented the SMS technology.

Since SMS had size limits, a character limit needed to be set. 

It occurred to Hillebrand that a short-message equivalent already existed, popular in the pre-digital communication era: the postcard. 

Typical postcards – sized at only 3-½ x 5 inches – require senders to be concise, formulating the gist of their communique with a thoughtful economy of words. 

Hillebrand surveyed a cross-section of common postcards and discovered that most messages met the 160-and-under character limit for size. 

For added measure, he then sat down at a typewriter and began clicking away on whatever other brief messages came to mind. You guessed it: most of these were also under 160 characters!

Later, extended text messaging would allow for more characters and even multimedia files. If needed, longer texts could simply be sent in two or more parts. 

Benefits of Texting for Healthcare

Today, text messaging has clearly grown in popularity, with nearly 80% of Americans texting regularly. This has produced a number of consumer benefits, many of which translate naturally to healthcare:

  1. Consumers are getting used to doing general business by texting 

“Texting is the new phone call.” 98% of consumers who text expect healthcare to follow suit and provide the same kind of responsiveness with texting that other industries and businesses provide. 

  1. Texting is effective, with successful contact rates of 97–99%

Due in part to their succinct nature, most texts are read within minutes of being received. In fact, the response rate with a text is over 200% higher than with a phone call. 

Smart marketers know this and are increasingly relying on texts to land their messaging and convert leads. 

  1. Over ¾ of consumers in the 44 and under age category prefer texting

Most Gen Xers were introduced to texting early, and along with their children, simply find it easier to text. They see it as more efficient (on average, a text takes 4 seconds) than logging in to email, which typically involves wading through a backlog of messages to find and read the right one.   

  1. Providers themselves prefer texting

A survey of “770 hospital professionals and 1,279 physician practices indicated secure texting is becoming the first choice to send information while keeping sensitive data secured.”

Pagers and faxing may still have their uses, but are often seen as “old-school technology.” When a team of healthcare providers is able to get on the same page and communicate more efficiently, response times are better. This ultimately benefits the patient.  

  1. Patients appreciate that they need not interrupt their workday or other activities to communicate

Appointment reminders, rescheduling, pharmacy prescription notices, and provider updates can all be done via text. This saves valuable staff time and avoids the inevitable “phone tag,” saving time and provider costs.   

  1. Patient engagement and experiences are improved; more positive reviews result

Texting is faster than requiring a patient to log in to a portal to receive updates, which improves engagement and helps to streamline care. 

Another key reason, as medication management experts point out, is that texting can “drive medication adherence, and empower patients to be more actively involved in their health and wellness.” Healthier patients tend to share their positive experiences.

Healthcare Still Behind the Curve

One doctor counted that he sent around 2,000 text messages over the course of a year. His patients sent him “pictures of rashes, swollen gums, family pets, and graduations… videos of babies breathing noisily and taking their first steps… They sent turkeys on Thanksgiving, heart-shaped stethoscopes on Doctor’s Day (who knew this existed?), and my favorite, Darth Vader on Father’s Day.”

Unfortunately, stories like this aren’t the norm. A sizable chunk of Healthcare providers are lagging when it comes to utilizing texting to deliver value to patients – at least to the extent that they could:

Sources note that only “thirty-two percent of providers have texted back and forth with patients to confirm an appointment, and 23 percent have texted to cancel an appointment… few providers say they have texted patients to provide post-treatment instructions (7 percent) check in for health monitoring (6 percent) or follow up on survey feedback (6 percent).”

Patients tend to welcome such follow-up. For example, one study notes that “eighty-seven percent of patients wish their providers would engage them between visits to support chronic disease management.” 

Granted, lack of time on the part of the provider may hinder responses – though most texts do not tend to be as time-intensive as other communication channels.  

Appropriate training on the texting platform may help to adopt greater usage; automated messaging (typically used for appointments, but which can be leveraged for other kinds of messages) may also be of some benefit. 

Healthcare systems must identify and address their particular barriers to texting to improve both provider response and patient experience.    

Text Messaging Platform Requirements for Healthcare 

User surveys note that as many as 30% of healthcare providers think – incorrectly – that consumer texting programs meet HIPAA security requirements. This assumption is not only mistaken, it’s a violation of HIPAA requirements.

That said, we’ve often noted this defining characteristic of the HIPAA Security Rule: it refrains from specifying or recommending specific vendors, primarily since data security technologies are ever in flux and change rapidly over time. 

What is specified by the rule is to ensure the confidentiality, integrity, and availability of ePHI – no matter what solution is ultimately in play. 

To accomplish this, HIPAA-compliant text messaging must rely on a secure platform that incorporates the appropriate technical safeguards that are lacking in typical consumer app messaging services. 

The HIPAA-compliant texting platform will therefore be marked by the following: 

  • A protected system. This includes a secure server for the storage of sensitive texts, and a means to prevent the mobile phone carrier from storing their own copy. Privacy is paramount.
  • Messages will only be sent and received by authorized users. As with all HIPAA-compliant technologies, HIPAA-compliant texting platforms depend on access controls to determine who can log in and use the system. The fewer the users the better, as PHI has less of a chance to be exposed. As always, patients must provide their written consent to have their PHI texted to them. 
  • End-to-end encryption – the accepted standard. Sensitive data – both in transit and in the secure server – must be disguised (rendered unreadable) to maintain patient privacy and prevent misuse. Since encryption is the standard, HIPAA regulations require covered entities to “implement a method to encrypt and decrypt electronically protected health information.” 

Should a mobile device ever fall into the wrong hands, the confidentiality of PHI will be maintained. 

Secure Infrastructure

To be truly HIPAA compliant – as we often point out – requires an underlying infrastructure to be both proactive and preventative.

A proactive infrastructure is a highly responsive environment, enabling high data availability and timely access to patient data. Preventative infrastructure will be highly secure, mitigating vulnerabilities and protecting patient data from being corrupted or held for ransom.

To accomplish this, systems must be:

  • monitored 24/7 to ensure consistent reliability and uptime. This includes assessing the status of all hardware, operating systems (OS), and applications running on top of the OS. 
  • regular vulnerability scans of servers. The purpose of the scan is to discover any vulnerabilities in the hosting environment, allowing engineers to remediate any vulnerabilities that threaten the infrastructure. 
  • server hardening (securing with updates and patches). Server hardening is the process of applying appropriate security measures to your servers. Servers should not only be housed in a secure data facility, but they should also have all unnecessary programs removed, be automated for updates, and have unique permissions and strong password policies established. 
  • advanced security tools, including anti-DDoS management, custom IP Reputation, host-based and network Intrusion Detection (HIDS/NIDS), managed firewalls, and enterprise-grade monitoring.
  • off-site backups of your data – backups should be geographically in a separate location – at least 50 miles away or further – to prevent a natural disaster (earthquake, fire, storm) from destroying both your servers and the backups. 
  • log retention of 6 years (a HIPAA mandate) – A HIPAA Compliant Host will keep track of who accesses protected health information (PHI), why they are accessing it, and what they are actually accessing. 

Logs will also include both failed and successful login attempts to systems, networks, and all areas where PHI data is kept, as well as logouts, as well as all security events. According to regulations, these logs must be kept for a minimum of six years, or longer if your state requires it. 

Failure to ensure these safeguards can be devastating. Significant fines from the OCR for violating HIPAA rules – such as the $3 million HIPAA penalty assessed to the University of Rochester Medical Center (URMC) for the failure to encrypt mobile devices and other HIPAA violations – can be followed by lawsuits from those who’ve had their ePHI compromised. A loss of business reputation for the healthcare provider – including an inability to maintain the practice – can all result.

It must be stressed: sending ePHI over an unsecured, non-compliant network then is not only a violation, it’s also criminal – potentially damaging to both patient and provider. 

Appropriate Device Policies

In addition to a HIPAA-compliant platform, it is essential to apply appropriate device policies. This is especially critical as mobile devices, by nature, are more prone than other technologies to be misplaced or stolen.

Such policies should include: 

  • keeping devices up-to-date. Applying updates to both apps and the device’s operating system helps patch the device with the latest security and protect against vulnerabilities.
  • using only trusted apps on the device. Examine your 3rd-party, non-work-related apps as well. Some apps will contain malware, which can place patient data at risk. 
  • avoiding connecting to unsecured Wi-Fi.
  • protecting your device with a strong password or pin, and using automatic locking and logoffs for additional layers of security.
  • the use of phishing-resistant multi-factor authentication (MFA) – which requires both a password and an additional code in order to log in – will provide significant protection should a password be hacked.
  • scanning your mobile devices for vulnerabilities, and utilizing remote wiping capabilities if necessary.
  • training your staff on mobile device use and policies. 

HIPAA Compliant Texting and Your Organization

For its ability to impact patient engagement and aid staff productivity – ultimately improving the quality and timeliness of care – HIPAA-compliant texting is fast becoming a fixture for healthcare organizations. 

HIPAA Vault has been hard at work testing our forthcoming HIPAA-compliant Text solution, due to be released soon! If you’re planning to incorporate the benefits of HIPAA-compliant texting in your practice and have questions, please give us a call: 760-290- 3460.

Stephen is an award-winning writer with a depth of experience in healthcare security and HIPAA compliance. In addition to writing for HIPAA Vault, his work has been published in Security Magazine, New England Society for Healthcare Communications, and others. Stephen has a degree in Engineering from Temple University, and can be reached at strout@hipaavault.com.