10 Policies and Procedures for Secure Text Messaging

Technology is only as effective as the workflow that supports it. Take a standard lock, for example. If I lock my front door, but fail to take the key out of the keyhole, my home is not secure. The technology did what it was supposed to, but I failed to produce the intended outcome. I might as well leave my TV on my front lawn! Similarly, if my computer is password-protected, but I leave a sticky note on the monitor that contains the password, I would be putting the content on my computer—and my company—at risk.

Technologies and supporting workflows within enterprises are no different. We must define and govern workflows with policy to ensure intended outcomes. This is particularly important in healthcare environments, where security and efficiency of workflows can be critical to patient care and safety. Workflows that support the use of secure text messaging provide a great example of this, as the technology is intended to be used to increase communication efficiency and security, but can do quite the opposite if workflows aren’t carefully developed and governed. Before implementing secure text messaging, IT leaders, clinical leaders, security officials, legal teams, and human resources teams should work together to develop policies to help ensure that all people, processes, and technology involved will be effective and secure. Below is a list of 10 policies and procedures that hospitals should consider when implementing secure text messaging.

The Policies

1. Eligibility

Define which users are eligible to use secure text messaging based on the clinical workflows they are involved in.


2. Expense allocation

Define who pays for the device, the application, and mobile carrier voice and data services.

3. User roles and responsibilities

Define what users are responsible for regarding usage and maintenance of the technology, such as battery management, availability while on call, damaged or lost devices, etc.

4. Security and feature management

Define how data shared within secure text messages will be secured in transit and at rest. This will likely include using mobile device management (MDM) for enforcing pass codes, device encryption, and restrictions.

5. IT support

Define what devices, networks, services, and features IT will support and what is out of scope.

The Procedures

6. Consumer application usage

Define whether or not users are allowed to use consumer messaging apps (iMessage®, WhatsApp®) in any workflows, or whether they will be prohibited.


7. Texting orders

Define whether or not staff can use secure text messaging to text orders (note: The Joint Commission now allows this, but certain secure text messaging solutions may not support everything needed to enable these workflows, such as order verification).

8. Screenshots

Create a procedure to prohibit screenshots of secure text messages (note: most secure texting solutions natively prevent copy/paste, but they cannot prevent screenshots without an MDM solution).

9. Dictation

Create a procedure to prohibit the use of keyboard dictation for any messages containing protected health information (PHI). Note: if your secure texting solution uses the native keyboard, this is not a HIPAA-compliant workflow.

10. Attachments

Create a procedure to prevent the ability to attach images or video that contain PHI from the device’s camera roll. Instead, make it so users have to add attachments from the camera within the app when including PHI. Pictures in the camera roll can be unencrypted and unprotected if they aren’t managed by an MDM solution.