Healthcare News & Insights

Risky texting: 3 reasons you shouldn’t text ePHI

GettyImages-464516088Texting may be convenient, but when it comes to transferring healthcare information, it can be full of costly risks. In this guest post, Erik Kangas, founder of an Internet services company dedicated to secure web and email hosting, gives reasons why you shouldn’t text ePHI and what you can do to mitigate the risks.


Text messaging has become such a regular part of our daily lives that we often don’t think twice about doing it – quickly shooting off a text to a patient who’s inquiring about his or her appointment, or asking about lab results. Unfortunately, text messages leave a virtual paper trail, which someone could use as evidence of potential HIPAA violations.

Sending protected health information (PHI) in a text message is a HIPAA violation, unless it’s to a patient and he or she has signed a proper consent form. However, without context, consideration and patient consent documented, you’d be in willful neglect. And for each text message, you could be assessed up to $50,000.

In other words, texting ePHI is possibly one costly mistake.

Here are three risky reasons why you shouldn’t text ePHI, as well as what you can do to mitigate the risks:

1. Lost or stolen devices

The loss of a smartphone, whether through theft or simple carelessness, is many people’s worst nightmare. As a healthcare practitioner, let’s say that you were recently texting a patient about a medical visit or the results of recent tests. Once either party’s phone is lost or stolen, those text messages are now in the possession of someone who’s not your patient and, according to an article at AHIMA, this is definitely a cause for concern. “Text messages may reside on a mobile device indefinitely, where the information can be exposed to unauthorized third parties due to theft, loss or recycling of the device,” says the article.

Given that you can’t be sure that your patient has enabled a password on their device (let alone encryption), it’s not advisable to send any ePHI to a potentially unprotected smartphone. If a medical company is texting confidential information to a patient and proper safeguards haven’t been put in place (e.g., getting the patient to sign a consent form), then the responsibility could fall on the medical side for texting the information in the first place.

2. Carrier storage of information

It can be impossible to find out just how long a cellular carrier (e.g., AT&T or Verizon) may store copies of the texts sent to an individual’s smartphone. That’s why it’s important to consider the lifespan of a text message when you think about sending healthcare information to patients. You can’t be sure a third party won’t store copies indefinitely at locations where any access to such information is unauthorized and a breach.

What about message encryption? The cellular providers have the security keys to access all of these messages. Furthermore, as the article at AHIMA says: “Although text messages communicated wirelessly are usually encrypted by the carrier, interception and decryption of such messages can be done with inexpensive equipment and freely available software.” Simply put, there’s both an internal and external threat.

This also brings up the problem of iMessage on Apple devices. This form of text communication involves messages Apple encrypts during transit and moves through its servers before decryption by the iOS devices. However, depending on internal and external backup and storage setups (like iCloud), these messages can easily end up becoming replicated and stored on other servers.

Organizations not sending messages through a common carrier, such as AT&T or Verizon, must have a HIPAA business associate agreement (BAA) with the company, whether Apple or another texting application vendor through which ePHI-laden texts will flow, be they secure or not. All of this means that Apple isn’t HIPAA-compliant, and you’ll need a HIPAA BAA with that company in order to send any ePHI over iMessage or FaceTime, even if you have client consent beforehand. It’s best not to take the risk and simply avoid any form of ePHI when it comes to Apple devices.

3. Lack of authentication

Another level of security that’s easy to overlook is the lack of authentication with online access. You can never feel completely sure that the person reading the information is the intended recipient, which can end up causing a lot of trouble for a medical organization that wants to abide by HIPAA regulations. “Text messages often can be accessed without any level of authentication, meaning that anyone who has access to the mobile phone may have access to all text messages on the device without the need to enter a password,” the AHIMA article is quick to remind. Whether intentional access or not, it’s a clear breach of HIPAA to enable other individuals access to a patient’s healthcare information.

Also, it’s not just the risk of unintended recipients, there’s always the possibility that a third party will intercept and decrypt the ePHI. If this were to happen with text messages that either exist on an individual’s smartphone or in the cloud, it would definitely constitute a breach of HIPAA. And if the patient hasn’t signed a proper consent form beforehand, your medical organization could be on the hook for the monetary damages.

How to text safely

In the event that texting is a necessity for your organization, there are still a few ways to safeguard the process to ensure that it remains HIPAA-compliant. Obviously, choosing a method of texting that involves encryption is the best way to stay compliant.

Having written consent forms and patient training as a requirement is a good safeguard to ensure that ePHI stays protected.

There’s also the option to download specialized apps that can replace common texting programs or apps that can decrypt ePHI texts. However, the far easier route would be to use a customized secure texting solution that allows anyone with a smartphone to receive and open secure texts without having to use a third-party app. This can additionally cut down on any needed training, making this an easy and secure way to text ePHI to patients when absolutely necessary.

Texting may be convenient, but when it comes to transferring healthcare information, it can be full of costly risks that might run you afoul of HIPAA regulations. If you still wish to text ePHI, making sure you have specialized decryption apps or secure texting is your best bet to stay HIPAA-compliant and potentially save you thousands of dollars in fees.

Erik Kangas is the founder, chief architect and developer of LuxSci, an Internet services company dedicated to secure web and email hosting. He also serves as technical advisor to Mediprocity, which specializes in mobile-centric, secure HIPAA-compliant messaging.

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.