Healthcare Texting in a HIPAA-Compliant Environment

Texting speeds communication but could put you at risk.

By: Andrew A. Brooks, MD | August 2012 (Featured in AAOS Now)

I’m often amazed at how little healthcare communication has changed in the nearly 25 years since I was a medical student. The last great innovation was the introduction of the pager.

In most hospitals, the communication process among physicians is arcane, inefficient, and potentially dangerous as it relates to patient care. According to The Joint Commission, a breakdown in communications could be tied to more than 60 percent of all reported sentinel events in 2011.

To improve communication efficiency with other physicians, hospitals, or their offices, many physicians are turning to smartphone technology — specifically Short Message Service (SMS) text messaging. But in doing so, are they potentially exposing themselves to unrecognized liabilities? This article explores some of the key facts related to text messaging in the healthcare environment and what orthopedic surgeons need to know.


Short Message Service text messaging can improve communication among healthcare providers, but may also increase liability risks.

An effective communications tool

Text messaging has become a major part of social communication in today’s society. It’s efficient, allows information to be transmitted asynchronously and succinctly, and can thwart unnecessary or prolonged conversation.

Compared to email, with its seemingly endless number of spam messages, texting serves as a priority communication channel. Because people may be more reluctant to share cell phone numbers than email addresses, the group who can text an individual is usually more restricted and trusted.

Although text messaging has obvious social communication advantages, it also has clear utility in health care. Texting is fast, direct, and simplifies the traditional, laborious pager and callback workflow that hospitals and other organizations have used for years.

For example, a study conducted by the Robert Wood Johnson Foundation found that nurses waste as much as 60 minutes of each workday tracking down physicians for a response. Imagine the cumulative waste of time and added labor costs across our entire healthcare system these delays have caused.

So what’s the problem?

Unfortunately, traditional SMS messaging is inherently nonsecure and noncompliant with safety and privacy regulations under the Health Information Portability and Accountability Act (HIPAA). Messages containing electronically protected health information (ePHI) can be read by anyone, forwarded to anyone, remain unencrypted on telecommunication providers’ servers, and stay forever on the sender’s and receiver’s phones.

In addition, senders cannot authenticate the recipient of SMS messages (ie, senders cannot be certain that the message has been sent to and opened by the right person). Studies’ have shown that 38 percent of people who text — including me — have sent a text message to the wrong person.

As a result, The Joint Commission has effectively banned physicians from using traditional SMS for any communication that contains ePHI data or includes an order for a patient to a hospital or other healthcare setting. A single violation for an unsecured communication can result in a fine of $50,000; repeated violations can lead to $1.5 million in fines in a single year, not to mention the reputational damage is done to an organization and its ability to attract patients.

A recent case, for example, resulted in a $50,000 fine to the provider. In addition, the provider was required to “implement security measures sufficient to reduce risks and vulnerabilities to ePHI to a reasonable and appropriate level for ePHI in text messages that are transmitted to or from or stored on a portable device.”

HIPAA? compliant texting

The Joint Commission did not ban all text messaging solutions, however. Instead, it established Administrative Simplification Provisions (AS) that serve as guidelines for developing secure communication systems. Under the AS guidelines, the following four major areas are critical to compliance:

  • Secure data centers — Healthcare organizations typically store patient information in either onsite or offsite (cloud) data centers. HIPAA requires these centers to have a high level of physical security as well as policies for reviewing controls and conducting risk assessment on an ongoing basis.
  • Encryption — AS stipulates that ePHI must be encrypted both in transit and at rest.
  • Recipient authentication — Any communication containing ePHI must also be delivered only to its intended recipient. A texting solution should allow the sender to know if, when, and to whom a message has been delivered.
  • Audit controls — Any compliant messaging system must also have the ability to create and record an audit trail of all activity that contains ePHI. For a text messaging system, this includes the ability to archive messages and information about them, to retrieve that information quickly, and to monitor the system.

Standard consumer-based messaging systems fail most of these requirements. The data centers are often not designed with the highest levels of physical and data security. Messages can be intercepted and are not encrypted. Recipient authentication is not available and, although messages and delivery details may be stored indefinitely, they are not designed to provide a fully functional audit trail.

Secure text messaging solutions

By using a private, secure texting network, doctors, nurses, and staff can not only send and receive patient information but also potentially achieve the following goals:

Shorten response times

  • Improve the accuracy of decision making by having better information
  • Allow multiple parties involved with clinical decision making to be looped in on the same message
  • Allow for quicker interventions and improve patient outcome
  • Securely communicate lab results, imaging results, patient procedures, and medical histories, allowing the physician to have more information readily available.
  • Speed up on-call notifications
  • Eliminate the hassle of callbacks
  • Integrate with scheduling systems to create automatic notifications of pending events

In today’s increasingly mobile world, technology will undoubtedly continue to be a massive driver of greater efficiency. Physicians are typically eager to embrace and adapt new technologies. Used properly, texting technology has the potential to revolutionize the quality of how health care is delivered to patients.

Andrew A. Brooks, MD, is an orthopedic surgeon and co-founder and chief medical officer of Tigertext, a secure mobile messaging platform designed to help hospitals and businesses improve workflow and reduce risk. He can be reached at