Is Texting in Violation of HIPAA?

To say that texting is in violation of HIPAA is not strictly true. Depending on the content of the text message, who the text message is being sent to, or mechanisms put in place to ensure the integrity of Protected Health Information (PHI), texting can be in compliance with HIPAA in certain circumstances.

Any misunderstanding surrounding texting being in violation of HIPAA comes from the complex language used in the Privacy and Security Rules. These rules do not mention texting per se, but they do lay down certain conditions that apply to electronic communications in the healthcare industry.

So, for example, it is okay to send messages by text provided that the content of the message does not include “personal identifiers”. It is okay for a doctor to send text messages to a patient, provided that the message complies with the “minimum necessary standard” and the patient has been warned of the risks of communicating personal information over an unencrypted channel. It is also okay to send messages by text when the mechanisms are in place to comply with the technical safeguards of the HIPAA Security Rule.

When Is It Possible to Send Patient Information by Text?

Texting patient information has generally been considered to be in violation of the Health Insurance Portability and Accountability Act (HIPAA), but this is not always the case. Text communications between a medical professional and a patient are permissible, provided the medical professional applies the “minimum necessary standard” to reduce the risk of the unauthorized exposure of Protected Health Information (PHI), the patient is warned of the risk that their personal information may be exposed, and a signed consent form is received from the patient.

Electronic communications between other healthcare professionals and Business Associates are also allowed, provided that all parties involved adhere to the technical requirements of the HIPAA Security Rule. Unfortunately most “traditional” channels of text communication do not adhere to the technical requirements of the HIPAA Security Rule – exposing healthcare authorities to the risk of civil action and substantial fines if a breach of PHI occurs.