Everything You Need to Know About HIPAA Compliant SMS

3 min readMichael Carroll on Feb 1, 2023

Today, many healthcare providers have adopted the use of SMS texting and notifications to connect with patients and staff. But are these text messages HIPAA compliant?

Although SMS can appear to be safe due to its extensive use, medical professionals using text messaging platforms for electronic communications must be aware of the requirements that are needed in order for messages to be properly secure and compliant on personal mobile devices. 

In this blog, we break down what you need to know about how to deliver safe and secure messages to your users without violating HIPAA regulations. 

What is HIPAA and How Does it Apply to SMS?

So, what exactly is HIPAA? The Health Insurance Portability and Accountability Act (HIPAA) is a law that was put into place to ensure that protected health information (PHI) cannot be shared without a patient's consent. Additionally as a way to implement the appropriate privacy, security, and enforcement requirements for covered entities and business associates, the HIPAA security rule was created.

What is considered PHI? There are 18 identifiers that are classified as PHI, some of which include a patient's name, address, and phone number. In short, this information is classified as PHI because it can be linked to the identity of a specific individual if security measures are not implemented.

This means that if you are a healthcare provider who allows for PHI to be shared between patients, doctors, and providers, secure messaging services and technical safeguards need to be in place to comply with HIPAA regulations. 

Is Text Messaging HIPAA Compliant?

SMS text messaging violates HIPAA rules if messages containing PHI are being sent without the patient's permission. 

Most SMS are not automatically HIPAA compliant because text messages on smartphones are not encrypted or they are at risk of being intercepted on a public Wi-Fi network. This means that confidential messages and information such as ePHI are at risk for data breaches and HIPAA violations.  

However, under certain conditions, healthcare organizations can implement security measures for encryption, access controls, and authentication to protect against unauthorized access and to adhere to HIPAA rules. 

HIPAA Compliance Best Practices

Using standard messaging services that are not compliant can lead to several legal consequences and penalties for your messaging platform. To remain HIPAA compliant and ensure patient safety, messaging apps and providers should follow these best practices. 

1. Message encryption

Messages that contain PHI on mobile devices must be encrypted in transit and at rest. This means that only the sender and the authorized user can view messages. 

2. Access permissions

Unlike regular SMS, secure messaging solutions add an additional layer of security for your healthcare organization. They allow you to enable specific user authentication and access controls for who and when messages can be obtained to stop hackers from stealing private health information. Plus, they allow you to further enhance your healthcare app with HIPAA compliant voice and video calls for improved patient communication. 

3. Enhanced security

Two-factor authentication and timed sign out features to secure your mobile devices help prevent common mishaps like leaving a device unlocked or if the device is stolen. If you are a healthcare provider sharing real-time EHRs (electronic health records), appointment reminders, virtual waiting rooms, or follow-ups, this prevents the disclosure of PHI.

4. Secure image and file sharing 

Similar to SMS, images and files also fall under the category of data that must be encrypted in order for messaging to be HIPAA compliant. These technical safeguards are essential for ensuring healthcare information doesn’t land in the hands of unauthorized individuals. 

5. Audit controls 

Occasionally, healthcare organizations will have to provide documentation that they have the proper secure text messaging systems in place to remain compliant. Audit controls allow you to monitor user activity and view records of who and when this information was accessed. This data must be shared during audits. Using a HIPAA compliant messaging solution that offers these capabilities can ease this process, as this information will automatically be logged.

6. Sign a BAA 

A Business Associate Agreement (BAA) is a contract for covered entities (the organization or service provider who is delivering the product) and the technology and services that you choose to store, transmit, or process PHI. Essentially, this contract outlines the responsibilities and risks for the BAA. 

By following these best practices for HIPAA compliance, you can guarantee the security and safety of the messages that are being sent on your healthcare platform.

HIPAA compliant text messaging solutions for healthcare

Fortunately for healthcare professionals, secure messaging solutions offer built-in security and all the necessary technical controls to ensure that patient data is always protected.

If you’d like to learn more about how you can build HIPAA compliant messaging, read our telemedicine app development guide or sign up for a free PubNub account if you’re ready to get started. 

More from PubNub

How to Add Notification Badges to App Icons in React Native
Chat6 minFeb 1, 2023

How to Add Notification Badges to App Icons in React Native

Display real-time notification badges with PubNub and React Native to display important information and bring users back to your...

Michael Carroll

Michael Carroll

NPP and HIPAA: Notice of Privacy Practices Definition
Healthcare5 minJan 6, 2023

NPP and HIPAA: Notice of Privacy Practices Definition

A Notice of Privacy Practices (NPP) is one of the requirements of HIPAA and helps patients understand their personal data rights.

Michael Carroll

Michael Carroll

HIPAA Technical Safeguards: How To Protect Sensitive Data
Healthcare6 minJan 5, 2023

HIPAA Technical Safeguards: How To Protect Sensitive Data

HIPAA covered entities must follow the five technical safeguards to achieve HIPAA compliance and prevent data corruption.

Michael Carroll

Michael Carroll

Talk to an expert