Secure Texting for the Healthcare Industry

Posted by on in Security

You might be surprised to learn that it’s incredibly common for healthcare providers and patients to exchange text messages about medical information. It’s also common for healthcare providers to exchange information via text with other care providers they work with. While this exchange provides a convenient means of contact, it can violate the HIPAA (the Health Insurance Portability and Accountability Act) guidelines that exist to protect any identifiable patient information.

Below, we dive into the specifics of secure texting within the medical community to give you a better idea of current texting practices and how they can violate HIPAA and how to prevent these violations.

Stats on Texting in Healthcare

In a 2014 survey on physician’s at-work texting habits, researchers discovered that:

·         60% sent and 61% received work-related text messages.

·         12% sent/received work-related text messages more than 10 times per shift.

·         53% texted about work-related matters while not on duty.

·         46% reported having concerns about privacy standards with regard to texting.

·         30% have received protected health information in a text message.

·         11% said their organization offers a secure texting solution.

Other research shows that 91 percent of pediatric hospital respondents use smartphones regularly and that 64 percent send the majority of their texts to other hospital employees.

Why Text, and What’s the Danger?

Healthcare providers primarily use text messaging for its convenience. They can use SMS text messages on smartphones, pagers, electronic medical records systems, appointment scheduling software, and many other programs and devices. It’s also fast and reliable, which is especially appealing when working in a busy hospital.

While convenient, text messaging can be dangerous when it comes to sharing confidential information. Text messages are often saved on telecommunication servers, smartphones, online backups, and other places for extended periods of time. Since many of these devices and networks are unsecure and not password protected, it’s easy for vital patient information to fall into the wrong hands.

For example, texting patients an appointment time and mentioning their medical providers exposes private information and goes against HIPAA regulations. Texting Protected Health Information (PHI) between healthcare providers also violates HIPAA.

The biggest problem is that few organizations have any regulations in place to protect information sent via text. For instance, IT departments at hospitals rarely monitor smartphone texts, so organizations can’t monitor what information they’re exchanging and with whom.

How Do HIPAA Violations Occur?

Texting PHI can be risky, and it can violate HIPAA in several ways, including:

·         Someone steals a device containing PHI

·         Users don’t properly dispose of a device containing PHI

·         Someone who’s unauthorized intercepts information

Although it’s possible to hack information from text messages, the real issue is that users share information across multiple devices that are unsecure. For instance, someone could steal a doctor’s phone that contains PHI text messages, giving the thief access to private information. If this device doesn’t have proper security measures in place to prevent the thief from accessing the files, then it can result in a HIPAA violation, as well as large fines.

What Is the Penalty?

If hospitals are caught texting private information to other healthcare providers or to their patients, they can face penalties for HIPAA violations. These penalties can range anywhere from $100 to $50,000 per violation, depending on the severity of the information shared. These penalties can add up to $1.5 million per year for similar violations. Some violations can even carry criminal charges and jail time.

HIPAA violations typically stem from unencrypted data, employee error, data stored on devices, and business associates. A single instance of texting neglect could tie into all these issues, and the violations can add up quickly, resulting in hefty fines for your organization.

What Can You Do to Prevent Violations?

Although we talk about the dangers of text messaging between healthcare providers and patients, there are ways to combat these issues and have real-time communications without violating HIPAA. For information security, hospitals and other medical organizations must invest in a digital security solution.

This starts with using authorized devices. These devices should have password protection and encryption technology, and each one should have a unique user identification, such as a unique name or number for tracking identity. Use authentication procedures to verify that the person accessing PHI information is the correct person. You should also implement emergency access procedures so you know how to obtain the necessary PHI during an emergency.

You may also want to address automatic logoff so that electronic devices receiving these text messages terminate their session after a certain amount of time of inactivity. Integrity controls are also worth addressing to ensure that electronically transmitted PHI is not modified without detection until the information is disposed of.

You’ll also need to conduct audits, which can include hardware, software, or other procedures that record and examine information on devices that contain PHI. It also helps to provide training to hospital staff as well as use secure messaging applications on these devices.


With only 11 percent of organizations offering a secure texting solution, it’s time for others to follow suit and implement digital security measures to ensure confidentiality of information. Perhaps it’s time to revisit your HIPAA compliance program. If you have the proper security measures in place, not every PHI breach results in a fine. If you can show that you made a reasonable effort to comply with HIPAA guidelines, then there’s a good chance you won’t have to pay a fine. With the right tools and security measures in place, hospitals and other healthcare providers can free themselves of having to worry about HIPAA violations.

Enjoyed the article?

Sign-up for our free newsletter to kick off your day with the latest technology insights, or share the article with your friends and contacts on Facebook, Twitter or Google+ using the icons below.

E-mail address
Tagged in: security
LuxSci founder Erik Kangas has an impressive mix of academic research and software architecture expertise, including: undergraduate degree from Case Western Reserve University in physics and mathematics, PhD from MIT in computational biophysics, senior software engineer at Akamai Technologies, and visiting professor in physics at MIT. Chief architect and developer at LuxSci since 1999, Erik focuses on elegant, efficient, and robust solutions for scalable email and web hosting services, with a primary focus on Internet security. Lecturing nationally and internationally, Erik also serves as technical advisor to Mediprocity, which specializes in mobile-centric, secure HIPAA-compliant messaging. When he takes a break from LuxSci, Erik can be found gleefully pursuing endurance sports, having completed a full Ironman triathlon and numerous marathons and half Ironman triathlons.


White Papers