A Brief Guide to HIPAA-Compliant Texting

By: Lisa Morris on August 13, 2019

As the age of millennials dawns, text messaging beats out nearly every other format as the preferred method of communication—and that absolutely carries over into the medical world.

One in 5 patients prefers secure, HIPAA-compliant texting over patient portals for receiving protected health information—but doctors can’t just start texting patients without first understanding the HIPAA requirements and protecting against security violations.


HIPAA-compliant text message apps exist to help practices that are interested in this communication method; but for those that aren’t interested, having canned responses prepared ahead of time can help direct patients away from texting and towards patient portals.

Here’s what we’ll cover:

What is HIPAA-compliant texting?

Establish your HIPAA texting policy before you hit send

Make sure texting is right for you

What is HIPAA-compliant texting?

HIPAA-compliant texting is a form of secure messaging that allows doctors to send and receive protected health information (PHI) to patients easily via secure SMS texts.

Simply typing up a message on your iPhone and sending it directly to patients is not a secure way to do it, though—and nor is it HIPAA-compliant. You need secure software apps to let you text patients safely.

Think of popular smartphone apps such as WhatsApp, Facebook Messenger, and Skype. Now imagine those tools used a secure, encrypted network to send, receive, and store messages, and included auditing controls to meet HIPAA Security Rule requirements. There you have it: that’s basically what HIPAA-compliant texting apps are.

Practices have some options when it comes to finding the most secure system for communicating with patients.

They can opt for streamlined, texting applications such as OhMD or MedTunnel, or more robust patient communication tools like TigerConnect or TelmedIQ.1

This leads to an important distinction between HIPAA-compliant texting applications and broader clinical communication systems with secure messaging features:

Think of fingers and thumbs. Not all fingers are thumbs, but the thumb is a finger. Likewise,

Not all secure messaging is done via text.

But HIPAA-compliant texting is a type of secure messaging.

That’s a critical thing to understand about patient communication tools, but what’s even more critical is realizing that you must have an established plan in place before you begin using any of these communication methods.

Establish your HIPAA texting policy before you hit send

Depending on who you ask, the question of whether or not texting patients is secure enough has different answers.

Some organizations will warn practices away from texting patients altogether, citing the vulnerabilities of unsecured texting and the many HIPAA security requirements providers must meet to avoid violations. Those would tell you it’s just easier not to deal with.

On the other hand, if you’re in the market for an efficient and secure communication system and your patients have showed an interest in texting, software is definitely a solution.

If you’re in the second camp and decide to start texting PHI, you need to first prepare a HIPAA texting policy.

This is a document that lays out all the rules, requirements, and best practices around texting PHI for your employees.

Your HIPAA texting policy will be unique to your practice because it will depend on factors like what type of provider you are and how much you utilize text messaging in patient communications.

Most HIPAA text messaging policies will cover things like:

  • When it’s ok to send PHI by text

  • The mistakes to avoid when communicating information via text

  • Who PHI can be sent to via text

  • What the consequences of violating the HIPAA texting policy will be

The goal of creating this document will be to ensure each of your employees are fully informed before they begin texting protected health information so as to protect them, you, and your practice from HIPAA violations.

Make sure texting is right for you

According to Gartner (available to Gartner clients), stand-alone systems for secure messaging may not be the best long-term solution:

“Requirements to support greater care team collaboration needs are rendering stand-alone secure messaging obsolete. Health delivery organization CIOs should phase out stand-alone secure messaging systems and phase in care team collaboration and coordination platforms over the next two to three years.”

This recommendation applies to hospitals and large health organizations, so the benefits of stand-alone systems for smaller, independent practices could absolutely still be worthwhile.

However, it’s important to understand all of your options for sending and receiving PHI securely, so we recommend exploring every possible solution and narrowing down the list to those that will best suit your needs.

In addition to HIPAA-compliant texting applications and clinical communication systems, you should consider:

To learn more about any of these types of software, you can reach out to our team of expert medical advisors. After a quick conversation, you’ll be given a list of products that meet your specific needs.

1To identify the systems featured here, we entered the term “HIPAA compliant texting” in Google during the week of July 15 in an incognito window with the location set to the U.S. The top solutions on the first page of Google’s results that fit our description are listed here.