Hospital Policies for HIPAA and Texting Patient Information

Policies for Text Messaging Patient Information Inside a Hospital

Texting patient information without encrypting the data or otherwise taking security measures to protect the data is considered a violation of the Health Insurance Portability and Accountability Act (HIPAA). If hospitals suspect staff is using SMS to communicate sensitive patient information, it would be wise to implement a secure, encrypted, admin-controlled clinical communication solution. Failure to do so risks a potentially disastrous outcome that impacts patient trust, reputational damage to the organization and HIPAA fines up to $50,000 per violation up to a million dollars.

While text communications between a medical professional and a patient are permissible if the provider applies the “minimum necessary standard” to reduce the risk of the unauthorized exposure of protected health information (PHI), this type of activity comes perilously close to violating HIPAA guidelines. Similarly, texting also is allowed between providers and even with business associates, again provided no PHI is shared. Because of all of these possible channels, it’s vital that hospitals and healthcare organizations develop, educate, and enforce policies for texting patient information so they can comply with the “organizational requirements” of HIPAA and its security rules.

While the advent of advanced mobile phone and electronic communications between other healthcare professionals and business associates is allowed if all parties involved adhere to the technical requirements of the HIPAA security rule, most traditional channels of text-based communication don’t meet the technical requirements of the HIPAA. Additionally, the increased use of personal mobile devices in hospital and care environments has increased the risk of compromised PHI if a message is sent to the wrong person or when a mobile device is lost, stolen, or sold prior to being wiped for data.

Consequently, the HIPAA organizational requirements state that “a covered entity must adopt reasonable and appropriate policies and procedures to comply with the provisions of the Security Rule.” The reason behind this requirement is to ensure that a hospital’s efforts implementing a secure messaging solution are not undermined by their employees who may not be clear on when and how to securely communicate PHI and other protected information.

A Hospital Must Include Policies for Texting Patient Information

The Department of Health and Human Services’ Centers for Medicare and Medicaid Services (CMS) is serious about the potential of texting patient care information. While CMS is concerned about information security, it wants texting healthcare communications systems to be successful for patients and their providers. To support this, in early 2018 CMS affirmed its stance on texting patient information, specifying that messages sent among clinicians are permissible so long as healthcare teams use a secure platform. Aside from the actual texting of orders, nearly all other forms of communication are allowed over secure, encrypted, IT-controlled channels.

These CMS clarifications are designed to provide additional clarity for a very tricky subject: “To be compliant with the [Conditions of Participation (CoPs)] or [Conditions for Coverage (CfCs)], all providers must utilize and maintain systems and platforms that are secure, encrypted and minimize the risks to patient privacy and confidentiality as per HIPAA regulations and the CoPs or CfCs,” wrote David Wright, CMS survey and certification group director to state survey agency directors. “It is expected that providers and organizations will implement procedures and processes that routinely assess the security and integrity of the texting systems that are being utilized to avoid negative outcomes that could compromise the care of patients.”

According to the CMS letter, the texting policies became effective immediately and should continue to be communicated to all survey certification staff, their managers and the appropriate training coordinators. CMS also said it recognizes that the use of texting as a means of communication with other members of the healthcare team has become an essential and valuable means of communication among the team members.

In a recent paper, “Texting in Health Care,” the Healthcare Information and Management Systems Society (HIMSS) aptly calls texting in the current decade what email was during the first decade of the 21st century. That may be great for instant communication for most businesses and consumers, but, as we’ve discussed, in healthcare texting is a challenge.

The primary problem with using consumer-based texting apps for healthcare information is information security. Why? Texting is device neutral and it works on personal or provider supplied devices of various types. Therefore, the data exchanged via text is easily accessible for most. Thus, a secure, encrypted, purpose-built healthcare communication solution is a must for hospitals, coupled with policies related to texting in order to prevent the use of text messaging breach or legal consequences for the organization.

A Unique Security Threat

Text messaging represents a unique set of security risks that must be managed appropriately to ensure both privacy and security of the information exchanged. A problem for healthcare organizations that want to send text messages is that the information exchanged might remain on mobile devices for an indefinite amount of time, and without proper precautions may be exposed to unauthorized persons. This exposure may occur as a result of recycling of a device, theft or loss of the device.

There are other possible threats, but one of the first policies a hospital must implement is oversight for all of the users on the clinical communications solution so that access may be revoked anytime a device is lost or stolen or an employee exits an organization. PIN-lock enforcement can add a layer of security beyond standard password protection to prevent unauthorized access the messages. Additionally, hospitals must implement policies that dictate a timeline regarding the deletion of messages from a device as well as potentially archiving messages and metadata for future legal discovery purposes.

In the event that a device is lost or stolen, hospital policy must require that the loss be reported to an administrator so that the employee’s login credentials can be removed from the system, thereby preventing any sensitive patient data from being accessed by anyone in possession of the device. To that order, hospitals must introduce a HIPAA-compliant texting system that is administered from a central point that is controlled by the IT department.

Likewise, risk assessments should be conducted regularly to identify any threats to the integrity of PHI and to ensure that texting in the hospital is HIPAA compliant. The HIPAA compliant hospital texting system should not allow healthcare professionals or sub-contractors to store PHI on the memories of their personal mobile devices. More advanced clinical communication solutions prevent access to camera rolls, screen capture functionality, as well as certain copy/paste capabilities.

Hospital policies for texting patient information should also be reviewed at appropriate intervals – every three months perhaps –– and adjusted as necessary through a formal, cross-departmental governance program to account for technological advances, changes in working practices and new legislation.

Secure, Encrypted Texting Creates Efficiency and Saves Time At The Point of Care

For those healthcare organizations that have or are considering adding text-based clinical communication to their stable of communication tools, it is critical to search only for offerings whose baseline capabilities meet HIPAA compliance while gaining many other benefits. For example, such text capabilities and services can extend beyond serving as a cross-facility platform that enables healthcare organizations—acute care hospitals, urgent care clinics, dialysis centers, physician groups, and others—to communicate within a single solution and in compliance with HIPAA.

With these solutions, hospitals are able to encrypt their texting platform, improve efficiency and increase the standard of care healthcare organizations provide to patients. When done right, authorized healthcare professionals can collaborate securely as a team through text, voice, or video even though they may be in different locations. There are no delays waiting for colleagues to access messaging accounts when used for HIPAA compliant messaging in hospitals on personal mobile devices, and hospitals can automatically generate read receipts eliminating follow-up calls to ensure the receipt of messages.

Finally, secure texting within a clinical communication platform enables fast decision-making when patient data is required to diagnose patient healthcare issues, an important feature most hospitals and healthcare organizations can benefit from.


Texting in healthcare has many benefits, including efficiency and quicker responses to patients at the point of care. But, with the good, there may be some bad, especially in the age of the healthcare hacker and the plethora of personal mobile devices used to support such technology. Thus, the appropriate policies must include the use—at a minimum—of a secure texting technology that can encrypt and protect health information data.

TigerConnect Clinical Collaboration Platform – Standard’s Top 8 Secure Messaging Policy Best Practices

TigerConnect Clinical Collaboration Platform – Standard is the leading provider of secure messaging solutions to healthcare organizations, and more than 4,000 medical facilities rely on TigerConnect Clinical Collaboration Platform – Standard to ensure compliance with HIPAA regulations. Naturally, our service extends beyond providing the platform that enables healthcare organizations to communicate in compliance with HIPAA, and we have compiled a free datasheet – The Top 8 Secure Messaging Policy Best Practices – which offers valuable advice about what to include in hospital policies for texting patient information inside a medical facility.

You are welcome to download our free white paper to learn more about policies for text messaging patient information inside a hospital and how such policies can be integrated into existing organizational policies in order to streamline compliance with the HIPAA Organizational Requirements. Alternatively, you are invited to contact us with any questions you may have with regard to the HIPAA Organizational Requirements or to request a free demonstration of TigerConnect Clinical Collaboration Platform – Standard´s secure messaging solution in action.

Will O’Connor, M.D. is the Chief Medical Information Officer at TigerConnect. As a physician executive with more than 20 years of healthcare experience, Will is a passionate advocate for rapid advancement across the healthcare industry.