Ensuring HIPAA Compliance in Text Messaging

Many chiropractors and staff members find that text messaging provides quick access to the information they need to make healthcare decisions and is a convenient method for communicating with patients. Yet, texting presents privacy and security concerns.

Typical short message service (SMS) texting does not offer the security necessary for sending protected health information (PHI). As a result, patient privacy might be compromised if unauthorized individuals can view texted data, devices are lost or stolen, or messages remain on servers in unencrypted formats.

In some limited situations, SMS texting may comply with HIPAA. For example, the HIPAA Journal explains that healthcare providers may send text messages to patients only if the content of the messages does not include personal identifiers and the messages comply with the minimum necessary standard. Chiropractors also must warn patients about the risks of communicating personal information over an unencrypted channel.

To ensure HIPAA compliance in texting, chiropractic practices should use secure messaging systems and have policies and procedures in place that comply with the HIPAA Security Rule (relevant to the electronic transfer of PHI), or the patient should give permission to text using an unsecure system. In the latter case, healthcare providers must provide the warning mentioned above.

Chiropractic practices also should incorporate information related to text messages into organizational health record documentation policies. HIPAA specifies that individuals have the right to view and amend PHI used to make clinical decisions about their care, which might include information sent via text messages.

In 2024, the Centers for Medicare and Medicaid Services (CMS) indicated that healthcare providers may now text patient information and patient orders in hospitals and critical access hospitals as long as a HIPAA-compliant secure texting program is used and it complies with the conditions of participation at 42 CFR 482.24 and 41 CFR 486.638.

To be in compliance, chiropractic practices and providers must do the following,

• Use and maintain secure and encrypted messaging systems/platforms that ensure the integrity of author identification and minimize the risks to patient privacy and confidentiality per HIPAA regulations.
• Be certain that texted patient information or patient orders are dated, timed, authenticated, and promptly placed into the electronic health record (EHR).
• Ensure that patient information or patient orders transmitted into the EHR are accurate, complete, filed and retained in the proper place, and accessible.
• Develop and execute policies and procedures that require checking the security and integrity of the text messaging systems/platforms on a set basis.

Learn More

• Applied Clinical Informatics: Evaluation of Secure Messaging Applications for a Health Care System: A Case Study
• HIPAA Journal: Is Texting in Violation of HIPAA?
• HIPAA Journal: Is Text Messaging HIPAA Complaint?
• HIPAA Journal: Texting in Healthcare
• The Joint Commission: Use of Secure Text Messaging for Patient Information and Orders

¹ Adler, S. (2023, December 13). Is text messaging HIPAA compliant? HIPAA Journal. Retrieved from www.hipaajournal.com/is-text-messaging-hipaa-compliant/

² Adler, S. (2024, February 24). Is texting in violation of HIPAA? HIPAA Journal. Retrieved from www.hipaajournal.com/texting-violation-hipaa/

³ Ibid.

⁴ The Joint Commission. (2024, October 16 [last updated]). FAQ: Can organizations use texting to communicate patient care information and orders? Retrieved from www.jointcommission.org/standards/standard-faqs/behavioral-health/information-management-im/000002483/

⁵ Centers for Medicare & Medicaid Services. (2024, February 8). Texting of patient information and orders for hospitals and CAHs [Memorandum]. Retrieved from www.cms.gov/medicare/health-safety-standards/quality-safety-oversight-general-information/policy-memos-states/texting-patient-information-and-orders-hospitals-and-cahs; The Joint Commission. (2024, June 5). Use of secure text messaging for patient information and orders. Retrieved from www.jointcommission.org/resources/news-and-multimedia/newsletters/newsletters/joint-commission-online/june-5-2024/use-of-secure-text-messaging-for-patient-information-and-orders/