SMSGlobal is a platform that enables companies to deliver mass text messages to customers. Many healthcare organizations use texting platforms to connect and communicate with employees, patients, and other healthcare providers. To do so, however, those within the healthcare industry need to work with platforms that are HIPAA compliant.
In the healthcare industry, sensitive protected health information (PHI) must be safeguarded under HIPAA. A major part of this compliance is working with vendors who will sign a business associate agreement (BAA) and ensure the security of PHI. SMSGlobal still does not mention a BAA on its website and may not be HIPAA compliant.
SMSGlobal, an Australian-based organization, is used to create, send, and analyze mass texting campaigns. Short message service (SMS) or text marketing is integral to communication. The key features of SMSGlobal’s platform include bulk SMS, two-factor authentication, a dedicated number, multiple plugins, and the WhatsApp API.
In the healthcare sector, text messaging can serve various purposes, like communication with patients, sharing patient information among healthcare providers, or assisting in discussing treatment plans. The SMSGlobal platform includes a control center for SMS marketing where users can create, send, respond, promote, and report on messaging campaigns.
LEARN ABOUT: How HIPAA compliant texting improves patient outcomes
HIPAA applies to covered entities, which include healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates (i.e., vendors) of these covered entities. These are entities that perform certain functions or activities on behalf of the covered entity.
A BAA is a written contract between a covered entity and a business associate. It outlines the responsibilities and obligations of each party regarding the handling of PHI. Typical provisions within a BAA include:
The agreement is required by law for HIPAA compliance and is considered the primary item to consider when it comes to SMSGlobal and its ability to be HIPAA compliant. SMSGlobal is a business associate of a healthcare organization if it transmits any PHI, like a name or email address, through a text message.
Generally, the HIPAA Privacy Rule allows healthcare providers to disclose PHI if they receive assurance that the information is protected through a signed BAA. In a 2020 blog, we stated that SMSGlobal would not sign a BAA. At that time, we contacted SMSGlobal, and two representatives told us that opening to HIPAA compliant services could lead to major fines. Therefore, they would not sign a BAA.
There is still no mention of a BAA or HIPAA on the company’s website.
RELATED: How to know if you're a business associate
Text messaging can be a great way to communicate individually and collectively. In 2023, we created a HIPAA compliant guide to text messaging to update our ultimate guide from 2021. While HIPAA doesn't explicitly mention texting technology, it does impose rules for protecting sensitive patient data. Many texting tools are available, but not all meet HIPAA requirements of encryption, data backup, and access controls.
According to SMSGlobal’s privacy policy, it takes active steps to protect personally identifiable information (PII) against “loss, unauthorised access, use, modification or disclosure, and against any other misuse.” All data is processed and stored on their servers with security standards that meet Australian requirements.
There is no mention of what happens to end user data but considering it can be analyzed by customers, there must be a way to store and access it.
TAKE A LOOK: How to collect patient feedback via text message
The BAA is a necessary component of HIPAA compliance and SMSGlobal still does not offer a BAA to its customers or mention the agreement on its website.
Conclusion: SMSGlobal may not be HIPAA compliant.
Healthcare providers know that clear and efficient communication with patients is necessary to run a successful practice. When evaluating a platform’s HIPAA compliance, especially on the cloud, consider the following security needs beyond a BAA: