Fact: SMS is Not HIPAA Compliant

Fact: SMS is Not HIPAA Compliant


In 2015, the Tepper School of Business at the Carnegie Mellon University found a 27 percent reduction in patient safety incidents when hospitals put a secure messaging system in place. In addition, mistakes involving medication went down by 30 percent. Based on that data alone, you can tell there are quantifiable benefits to short message service (SMS) secure text messaging practices. Unfortunately, the majority of SMS messages do not follow HIPAA security and regulations. HIPAA guidelines also apply to emails and any Instant Messaging (IM) services you use such as iMessage, WhatsApp, Pidgin, Skype, Facebook Messenger.

The main reason why SMS Messages are not compliant is that they do not have encryption. What prevents messages from an interception on public networks, such as through Wi-Fi, is encryption.

Another security problem many health care organizations face is that duplicate SMS messages stay on service providers’ servers forever. The solution to the problem is readily available: Exclude protected health information (PHI) from SMS formatted messages.

What HIPAA Expects: Regulations for Email, IM, and SMS

HIPAA Security Rule details what HIPAA requires of organizations to be in compliant in regard to Email, IM, and SMS. Safeguard measures to take include controls for integrity, audit, and access including ID authentication, and the prevention of unauthorized access to PHI by securing transmission.

Top Three Security Measures Recommended by HIPAA

Top Three Security Measures Recommended by HIPAA
  • Assign a one-of-its-kind login username and PIN number to each user. You will need to do that in order to be able to monitor and log all PHI containing communications, both sent and received transmissions.
  • Set up an auto-logoff process to prevent unauthorized PHI access when a user leaves a device unattended.
  • Encrypt PHI during transmission to prohibit readability of message content including attachments.

HIPAA Health Plans, Health Care Providers, and Health Care Clearinghouses Face a Dilemma that is Fixable

Login authentication is the easy part. The hard part for most HIPAA covered entities is continuous monitoring. Training is a concern too. Many users forget to log off after using their computer. For most health care professionals, encryption is difficult to set up because multiple organizations work on various devices and operating systems. HIPAA noticed the extreme difficulty patients and medical professionals were having with one another, so it allowed an exemption instead of a decryption key — only in that case.

Secure Messaging is the Solution

Top Three Security Measures Recommended by HIPAA

Although abiding by HIPAA regulations is difficult, you have a solution right at your fingertips: Secure messaging. Here’s how you benefit:

  • It works regardless of how small or large your health care organization.
  • Sends encrypted messages via messaging apps.
  • You’re able to share images and hold group meetings using one or more secure message apps.
  • It is device and operating system compliant.
  • User authentication with the user ID and Pin is centrally issued.
  • Auto-logoff if the device is left unattended for a certain period.
  • Security measures are in place to prevent sending PHI to the third party, saving PHI externally, copying and pasting PHI.
  • Continuous activity monitoring.
  • The administrator has remote secure messaging app locking and PHI data deletion ability if an authorized user’s device is stolen.

Securing Messaging Gives Your Health Organization Many Benefits

More healthcare professionals are relying on SMS messages to get timely information regarding patient care. Phone tag presents an issue because seconds and minutes matter when landlines and cell phone lines are busy. Group messaging is not the future. It’s now. Hospitals send SMS to alert admissions and discharge patients in the fastest way to streamline productivity.

We have the solution to your organization’s HIPAA compliance challenge. For more information, call us anytime at (800) 947-3227 or visit Endicott today.