Making sense of secure text messaging compliance in healthcare

Did you know that SMS (short message service) text messages are not encrypted, and anyone could buy a cheap scanner on Amazon, pull your SMS messages out of the air and read them clearly? Did you also know that a recent study found that 96% of physicians use consumer text messaging for patient care coordination? A bit discomforting?


With its familiar interface and ready-to-use convenience, text messaging is exceedingly appealing to busy medical practitioners. A study in the Journal of Hospital Medicine found that over half of hospital-based clinicians receive text messages at least once a day for patient-care related communications.

Secure text messaging adoption is growing: Our most recent mobility survey found that 52% of hospitals use a secure messaging solution, and an additional 30% are evaluating. However, simply having a secure messaging solution available to hospital staff isn’t enough to achieve compliance with HIPAA and Joint Commission guidelines.

To fully comply with protected health information (PHI) privacy regulations, you need a full understanding of applicable regulations, security protocols and procedures, education and training for your staff, and mobile device management strategies and tools.

Understanding HIPAA and Joint Commission Guidelines

To reach full compliance with your secure messaging solution, you first need to know which HIPAA and Joint Commission regulations apply to electronic communications like secure texting.

HIPAA requires healthcare organizations to transmit and store electronic PHI in a secure manner. The Centers for Medicare & Medicaid Services (CMS) has published a document called “Security Standards — Technical Safeguards” that outlines HIPAA’s requirements for safeguarding PHI. These include implementing specified access, audit, and integrity controls, encryption, and rules for authenticating people or entities.

To ensure HIPAA compliance, secure texting applications should offer encryption of message data in transit and at rest, reporting/auditability of message content, passcode enforcement, authentication, and permissions management capabilities.

In 2011, The Joint Commission banned the use of mobile devices and platforms for transmitting patient care orders. After lifting the ban in April 2016, The Joint Commission clarified its guidance and resumed its original stance in December 2016. The latest regulations do not address clinicians’ use of HIPAA-compliant secure texting platforms to send messages to each other and collaborate on patient care, but they do specifically prohibit texting patient care orders (even with secure messaging applications).

Security protocols and procedures

Technology is only as effective as the workflow that supports it. Security protocols and procedures are necessary to define how clinicians should use secure text messaging. Policies and procedures should define:

  • Which users are eligible to use secure text messaging based on their role, department, or workflows they’re involved in
  • How data shared within text messages will be secured both at rest and in transit
  • Prohibitions on the types of PHI that can be used in secure text messages, such as screenshots of secure text messages, keyboard dictation for any messages containing PHI, as well as images or videos containing PHI

Security education and training

Humans are often cited as the weakest link in an organization’s security: A recent study by Dell found that risky security behavior was pervasive in the workplace regardless of industry. A staggering 72 percent of surveyed employees were willing to share sensitive, confidential or regulated company information. Typically, these employees do not have malicious intent, but just want to do their jobs as efficiently and effectively as possible.

Organizations need to create, distribute, and routinely discuss their security policies for secure text messaging during orientation for all staff working in the facility and on an ongoing basis. The InfoSec Institute recommends that security awareness training in healthcare accomplishes these learning objectives:

  • Creating a culture of pro-active security and understanding what’s happening in the wider security landscape
  • Fostering respect for individuals’ privacy
  • Knowing what PHI is and why it needs to be protected
  • Understanding that security is part of the whole organization and impacts everyone
  • Knowing which security and privacy rules apply to healthcare and what impact they have
  • Understanding security policies and procedures

Mobile device management

Hospitals today have the choice of giving staff mobile devices or of allowing them to bring their own devices (BYOD) and install a secure texting application. To minimize the compliance risk for either of these options, healthcare organizations should use a mobile device management/enterprise mobility management (MDM/EMM) solution to manage employee devices. Such solutions help automate the implementation and enforcement of organizational security policies to minimize security risks.

For example, secure texting apps protect data in motion through encryption, but they do not automatically protect data at rest. Hospitals may assume that users are implementing passcodes at the device level to prevent unauthorized users from reading texts on the device. But smartphones do not require a device passcode by default, and I’ve witnessed that many physicians do not use passcodes. An MDM /EMM solution can enforce rules-based policies to help ensure that all managed devices are secured using passcodes at the device level.

If MDM / EMM is not used, it is very important to ensure that app-level access codes are enforced and that security is enforced at the network-level, to add necessary security controls. Implementing a secure text messaging solution is just the first step. To ensure full compliance with HIPAA and Joint Commission regulations, you need a multi-faceted approach. This strategy must incorporate knowledge of industry regulations, development, and implementation of security protocols and procedures, staff education, and training and management of users’ mobile devices.

To be sure, this is a tall order for any healthcare organization, but especially so if you lack the internal resources required for success. My team at Spok, the professional services group, has years of experience not only implementing secure texting solutions, but also assisting with training, go-live and rollout, and ongoing optimization. Let us know if you want to chat!

Topic: Secure messaging