HIPAA-Compliant Text Messaging: Best Practices and Policies

HIPAA-Compliant Text Messaging HIPAA compliant text messaging enables healthcare providers to securely communicate with patients and other healthcare providers. To ensure HIPAA compliance, you need to use HIPAA standards to create secure electronic data transmissions (in this case, text messages). The goal is to secure transmissions that contain protected health information (PHI).

To become HIPAA compliant, electronic communications need to be properly secured through various methods, including encryption, access administration, and notifications. HIPAA compliant messaging apps are also required to include a risk disclosure statement. This statement informs patients about data policies and risks, and gains user consent to these terms.

In this article, you will learn:

What Is a HIPAA Compliant Texting App?

HIPAA compliant texting apps are messaging applications designed to protect electronic data according to HIPAA regulations. These regulations apply to protected health information (PHI) including patient details, demographics, health insurance information, images, and ID numbers.

HIPAA compliant apps provide a secure alternative to traditional pagers and enable healthcare staff to communicate with patients and other providers. These applications also enable system administrators to audit the transmission and access of electronic PHI (ePHI) to ensure compliance.

These applications enable healthcare professionals to communicate more easily with each other and help ensure that important health information for specific individuals is received in a timely manner, improving productivity and standards of patient care.

Requirements for HIPAA Compliant Text Messaging

To be HIPAA compliant, all electronic communications (such as texts) require a risk disclosure statement with patient consent. This statement must inform the patient that information sent electronically may be at risk of unauthorized exposure and allow the patient to decline receiving electronic communications.

Organizations can help ensure compliance by implementing applications with sufficient controls and encryption to meet HIPAA standards. These apps must also meet the Minimum Necessary Standard outlined by HIPAA regulations as well as the defined administrative, technical, and physical safeguards.

An exception to these HIPAA compliance requirements is if the U.S. Department of Health and Human Services waives HIPAA regulations. For example, following a natural disaster or other widespread event affecting public health. In these cases, some of the restrictions related to ePHI are waived or may not apply to certain Covered Entities. This is done to ensure that HIPAA regulations do not impede healthcare providers’ ability to serve patients during times of crisis.

Try OnPage for FREE! Request an enterprise free trial.

Key Features of Secure Texting Apps

When considering texting applications for healthcare, it is up to you to make sure the application you choose is compliant. However, there are certain features you might want to consider a must when assessing HIPAA compliant text messaging.

Here are key features of secure, HIPAA compliant texting apps:

  • Healthcare providers can communicate from a range of approved devices and can  receive real-time information secured with encryption.
  • Enterprise web access to log delivery notifications and read receipts to verify senders and recipients.
  • Information can be securely managed through features that enable you to remotely wipe message data.
  • Administrators can manage access settings from a central dashboard and provide or revoke access as needed.
  • Mobile applications include built-in logging and auditing features to ensure delivery and read receipt compliance.
  • Mobile and enterprise applications should have visibility to users’ availability.

Each of these features ensure the integrity of ePHI, enhance employee workflows, increase productivity, and help to raise the standard of patient healthcare in a cost-efficient manner.

HIPAA Compliant Text Messaging: Best Practices and Policies

When considering incorporating texting into your healthcare communications, it is important to ensure that you are aware of how HIPAA standards apply. As a provider or handler of ePHI, it is your responsibility to ensure that information remains secure. To do this, you should first start with reviewing HIPAA guidelines.

Once you are aware of HIPAA compliance requirements and how those requirements apply to you, you can begin creating your communications plan. During this phase there are several best practices you should include, such as those covered below.

Ensure all mobile devices are secure

A secure texting app is only useful if the devices it is used with are also secure. Any device that sends or receives ePHI in your organization needs to be secured and encrypted. This means that your IT security team needs to be aware of all devices in use and must be able to manage those devices or manage the secure application within the device.

Consistent and comprehensive device management typically excludes the use of personal devices, however in the current environment, bring your own device (BYOD) is widely used in most organizations. If personal devices are required, your IT team needs to be able to remotely manage the profile that is used for ePHI purposes. Additionally, regardless of the device owner, the IT team should be able to remotely wipe the device from any ePHI.

Establish texting policies

You need to explicitly define any texting policies you plan to implement in your organization. These policies should outline who is allowed to send and receive information, how that information can be shared, and what information can be shared.

Another important policy for HIPAA compliant text messaging, is to decide whether staff is allowed to text patient ePHI. While your IT team can control internal devices, they have no control over patient devices, however with patient consent, as long as the transmission of ePHI was initiated from a secure container to the patient, the healthcare provider did comply with HIPAA.

Educate staff and communicate with patients about your texting policies

Any staff working with PHI should be trained on your communications policies and should sign an agreement to follow the policies in place.

During training, you should ensure that staff understand why HIPAA compliance is important, how it is maintained, and what to do if it is not. If your policies change, a breach of information occurs, or guidelines change, make sure to renew training.

Educating and communicating with patients is also necessary. Whether or not you allow employees to text ePHI to patients, patients need to be informed of how their information is being used.

Try OnPage for FREE! Request an enterprise free trial.

HIPAA Compliant Text Messaging with OnPage

OnPage’s HIPAA compliant messaging service enables healthcare administrators and providers to secure messaging communications. You can use OnPage messaging for the following purposes:

  • Encryption—use OnPage to communicate via encrypted and secure text messaging between internal staff, as well as external providers and patients.
  • Access control—create and manage users with varied permissions.
  • Alert notificationsoverride the silent switch on all devices, bring critical alerts to the forefront, which can persist for up to eight hours until acknowledged.
  • Track messages—with statuses for sent, delivered and read receipts and enterprise reporting.
  • Manage schedules—configure on-call scheduling for multiple individuals and groups.
  • Set up escalation criteria—ensure critical alerts are never missed, always have a backup.
  • Send media—OnPage supports media files, enabling you to add images and voice attachments to text messages.
  • Live Call Routing—direct patient calls to the on-call physician’s mobile device.
  • Mute alerts—OnPage enables providers to mute messages when they are off duty and do not want to receive alerts.
  • Data protection—with OnPage, you can remotely wipe sensitive patient information.


What are the key components of HIPAA?
The key components of HIPAA include the Privacy Rule, Security Rule, Transactions and Code Set Standards, Identifier Standards, Enforcement Rule, and Breach Notification Rule.
What are the consequences of violating HIPAA?
Violating HIPAA can result in civil and criminal penalties, that vary based on severity, and may be in the form of monetary fines up to $1.5 million.
How should I train employees on how to use technology safely and protect sensitive patient information?
Organizations can implement HIPAA awareness programs, create robust security protocols, and have structured communication plans that ensure patient safety and effectively educate staff members.

enterprise free trial