Smartphones, Texts, and HIPAA: Strategies to Protect Patient Privacy

Kim Hathaway, MSN, CPHRM, Patient Safety Healthcare Quality and Risk Management Consultant, The Doctors Company

Physicians have embraced smartphone technology, with the vast majority using phones to communicate via text messages and access medical information. The attraction is obvious: Smartphone applications place libraries full of information at users’ fingertips—including drug alerts (such as that are literally a click away. Texting via secure messaging systems is instantaneous, convenient, and direct. It reduces the time waiting for colleagues to call back and it can expedite patient care by facilitating the exchange of critical lab results and other necessary patient data.

Smartphone technology is not just for peer-to-peer use: To manage their own healthcare needs, empowered patients are requesting more access to their physicians and medical records. Patients are also investing in mobile health technologies that provide continuous vital sign monitoring and generate health data that can be sent to their physicians. (For more information on this topic, see our article “Remote Patient Monitoring: Considerations for Telehealth Care.”) Technology is becoming essential to the patient experience and increasingly important to younger, technology-savvy patients.

Safeguard Against HIPAA Violations

The very convenience that makes using smartphone technologies so inviting may also create privacy and security violations if messages containing protected health information (PHI) are not properly safeguarded. It is important that physicians and their teams understand that communications between patients or other providers have the potential to lead to violations of the Health Insurance Portability and Accountability Act (HIPAA).

Physicians and other team members must not communicate with patients using their personal text messaging systems. Before communicating with patients through electronic technologies, a practice must have in place a secure HIPAA-compliant messaging platform that interfaces with the electronic health record (EHR) and strong administrative procedures. HIPAA compliance is paramount to the physician’s ability to communicate safely and send appointment reminders, alerts, and other follow-up reminders.

Text messages among colleagues should also be encrypted and exchanged in a closed, secure network designed specifically to protect PHI, not on personal messaging systems. A secure messaging platform allows for the encrypted flow of information and storage in the medical record. Many EHR products now interface with secure messaging systems or the secure systems are integrated into the EHR product.

Implementing a secure messaging platform must include establishing electronic communication policies regarding the proper and improper uses of texting—which means specifying what types of information may or may not be texted. Patients must also be educated on how the practice uses electronic communications and/or texting and be given the option of consenting or opting out of those communications.

In addition to using a secure messaging platform, other minimal protections include automatic screen locking settings and remote wiping programs. An automatic screen locking setting secures a device when it is inactive, requiring a password to unlock it. Timing can be changed to shorten the interval before locking the screen. Remote wiping programs can erase data, texts, and email. Both safeguards provide additional protection in the event a device is lost or stolen. The government website provides tips and information for individuals and organizations related to securing mobile devices.

Compliance is a challenge when the technology options and HIPAA security rules are not known or they are misunderstood. We have found that some clinicians are still using unsecured personal messaging systems and consumer apps to text images and send files containing PHI. With penalties up to $50,000 per HIPAA violation, safeguarding communications should be of the utmost priority.

Texting Orders

In December 2017, the Centers for Medicare and Medicaid Services issued a clarification regarding texting patient information among healthcare providers. The recommendations include the following:

  • Texting patient information among members of the healthcare team is permissible if accomplished through a secure platform.
  • Computerized provider order entry is the preferred method for submitting orders.
  • The current prohibition on secure text messaging of patient care orders is continued.

Ensure Accuracy to Avoid Liability Concerns

Shorthand and abbreviations are commonly used in text messaging. The informal nature of text messages can increase the chances of miscommunication. It is important to ensure accuracy and use standardized and approved abbreviations, particularly when patient information is exchanged over text.

Texting cannot substitute for a dialogue with a colleague concerning a patient. If the matter is critical or you have any doubt about the communication, it is best to speak directly with your colleague.


Just as phone records are discoverable during litigation, so are the text messages on personal and work-designated smartphones. When changes occur in the patient’s condition or a serious event takes place, limit texting to messages over a secure messaging platform, and ensure that message content is appropriate for the medical record. Do not use personal messaging systems for any messages containing PHI or that are not compliant with the HIPAA Security Rule. For example, if you don’t have access to a secure messaging system and need to use your personal phone, text a generic message such as “please call urgently.” 

Communication about patient care information should be made in person or by person-to-person phone call and documented in the medical record. If texting is the only way to communicate, keep texts brief, professional, and to the point. If you would not document the communication in the medical record, do not say it in a text message. Avoid expressing your opinion in a text about the care others have provided, unexpected events, or possible errors. Instead, communicate your understanding of events using an appropriate format, such as in an incident report or during a postevent investigation.

Text messages from medical device representatives and other vendors who are present during patient care are also discoverable. Text messages should not contain discussions, opinions, or comments that would not be included in the medical record.

Take Steps to Protect Your Practice

Consider the following strategies for safeguarding your practice:

  • Conduct a risk assessment to evaluate the risks of texting—including message content and security measures that have been taken.
  • Use a secure messaging platform to send communications, not a personal or unsecure messaging system.
  • Enable encryption on your mobile device.
  • Set screens to lock automatically if inactive, and use the remote wiping function to prevent lost devices from becoming data breaches.
  • Ensure that your system has a secure method for verifying provider authorization.
  • Have a texting policy that outlines the acceptable types of text communications and specifies situations in which a phone call is warranted. Specify any applications that would be used in conjunction with texting.
  • Know your recipient and double check the “To” field to prevent sending confidential information to the wrong person.
  • Minimize identifying patient details in texts.
  • Assume that your text can be viewed by anyone in close proximity to you, and always maintain physical control of your device.
  • Ensure that the metadata retention policy of the device is consistent with the medical record retention policy and/or that it is in accordance with a legal preservation order.
  • Report to the practice’s privacy officer and your malpractice carrier any incidents of lost devices or data breaches.


  1. Centers for Medicare and Medicaid. Center for Clinical Standards and Quality/Survey and Certification Group. Texting of patient information among healthcare providers. December 28, 2017.

The guidelines suggested here are not rules, do not constitute legal advice, and do not ensure a successful outcome. The ultimate decision regarding the appropriateness of any treatment must be made by each healthcare provider considering the circumstances of the individual situation and in accordance with the laws of the jurisdiction in which the care is rendered.

J12602 11/20