Do Unencrypted Text Messages Violate HIPAA?

Do unencrypted text messages violate HIPAA rules? Two medical professionals in North Carolina have found out that they do. Text message HIPAA violations appear to be occurring with alarming frequency, with many physicians and care team members choosing to use their own devices to communicate messages regarding their patients to other healthcare professionals.

The latest case to be reported concerns a doctor who was visiting a patient in a nursing facility and requested a nurse send the patient’s laboratory test results in a SMS message. The nurse did as requested and sent the results to the doctor, who was able to view them as part of his consultation.

In this case, only two authorized personnel viewed the message: The doctor who requested the PHI and the nurse who sent it. However, since the data was sent over an unsecured network, any number of unauthorized individuals could have intercepted that message and viewed its contents. That message may also still be stored on the mobile provider’s servers, or could have been relayed to any number of carriers.

There is nothing wrong with using Smartphones and mobiles in hospitals, and many healthcare providers even run Bring Your Own Device Schemes to take advantage of the benefits. However, they can only be used for sending non-confidential data and must never be used for transmitting PHI or personally identifiable information unless the messages are encrypted. There is no guarantee that the person receiving the information is the correct person and the risk of interception is too high. Unless a HIPAA-compliant healthcare messaging app is used.

After an assessment by the Centers for Medicare & Medicaid Services (CMS), the nursing facility in question was given an E-class deficiency for text message HIPAA violations in addition to being ordered to follow a 10-point Directed Plan of Correction (DPOC), which the facility is obliged to implement within 15 days of issue.

The DPOC details a number of measures that must be implemented, including training the staff of the use of text messages and other security matters, with that training to be conducted by an external expert. A HIPAA compliance officer must also be appointed and an emergency plan developed to deal with HIPAA breaches.

Recent studies suggest that even though the medium is not secure, doctors and other medical professionals are still using SMS messages to communicate. One notable study – Recently published in Telemedicine and eHealth – on the use of mobile phones in healthcare has recently been conducted on staff at 97 pediatric hospitals.

30% admitted to having received PHI in unsecured text messages, 60% claimed to have used text messages in a healthcare setting and 61% admitted to receiving work-related text messages.

The penalties for this type of HIPAA violation can be severe, especially if the use of text messages involves the disclosure of PHI to an unauthorized individual. Due to the convenience and benefits of mobiles and Smartphones, the easiest solution to avoid fines for SMS HIPAA violations is to use a secure messaging service with end to end encryption. It is much easier than controlling the staff and relying on them never to send PHI using an unencrypted Smartphone.

If anyone in your organization asks “Do unencrypted text messages violate HIPAA rules?” It is clear that more training on data privacy and security is required.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of