Text messaging and HIPAA compliance amid growing cybersecurity threats

As researchers Karasz, Eiden, and Bogan note in Text Messaging to Communicate With Public Health Audiences: How the HIPAA Security Rule Affects Practice, "Text messaging is a powerful communication tool for public health purposes, particularly because of the potential to customize messages to meet individuals' needs. However, using text messaging to send personal health information requires analysis of laws addressing the protection of electronic health information."

Traditional SMS messaging lacks the encryption and security features necessary to protect protected health information (PHI). This gap led to the development of specialized HIPAA compliant messaging platforms that incorporate encryption, access controls, and audit capabilities.

Learn more: HIPAA compliant texting

Current cybersecurity challenges in healthcare communications

The 2022 research article on Cybersecurity Challenges in Healthcare provided what they consider five cybersecurity challenges for healthcare organizations:

1. Email phishing attacks: These attacks use deceptive emails with malicious attachments or links that appear legitimate but download malware or redirect to fraudulent sites.
2. Ransomware attacks: Healthcare facilities face sophisticated ransomware that encrypts data and systems, demanding payment for decryption keys. According to Paubox's 2025 Healthcare Email Security Report, ransomware attacks targeting the healthcare sector have increased by 264% since 2018.
3. Lost and stolen equipment: The theft or loss of portable devices (laptops, tablets, smartphones) used by healthcare professionals creates security vulnerabilities, especially when combined with unsecured connections like public Wi-Fi.
4. Insider data loss: Insider threats can be either accidental or intentional. Accidental attacks occur through unintentional information sharing, procedural errors, or negligence, while malicious insider attacks involve employees or associates deliberately causing harm for personal gain.
5. Attacks on connected medical devices: The FDA defines medical devices as instruments used in diagnosis, treatment, or prevention of disease. When compromised, these devices can serve as entry points into healthcare networks, leading to data misuse or malicious manipulation of device functionality.

Interpreting HIPAA for text messaging

As Karasz, Eiden, and Bogan explain: "The Health Insurance Portability and Accountability Act (HIPAA) Security Rule is written with flexibility to account for changing technologies. In practice, however, the rule leads to uncertainty about how to make text messaging policy decisions."

This uncertainty comes from the fact that HIPAA consists of both the Privacy Rule and the Security Rule, each with distinct but related requirements. "Whereas the Privacy Rule defines the circumstances in which individual health care information may be disclosed, the Security Rule defines the requirements for making such disclosures in electronic form."

The researchers note that "Electronic PHI is PHI that is 'transmitted by electronic media' or 'maintained in electronic media.' Electronic media include 'electronic storage media' and 'transmission media used to exchange information already in electronic storage media.'" Therefore, text messages containing PHI are subject to the Security Rule.

Related: Unpacking the HIPAA rules on text messaging

Recent federal cybersecurity initiatives

HHS's 405(d) Program and Health Industry Cybersecurity Practices (HICP)

The Department of Health and Human Services (HHS) established the 405(d) Program in response to the Cybersecurity Act of 2015. This program produced the "Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients" (HICP) publication, which offers practical guidance on mitigating cybersecurity threats, including those related to secure messaging.

The HICP identifies secure text messaging as a critical area for healthcare organizations and recommends:

1. Implementation of encrypted messaging solutions
2. Authentication protocols for message access
3. Automatic message expiration
4. Remote wiping capabilities for lost or stolen devices
5. Regular security assessments of messaging platforms
   
   

FDA's cybersecurity guidance for medical devices

The Food and Drug Administration (FDA) has strengthened its oversight of medical devices with connectivity features, including those that may interface with messaging systems. Their guidance emphasizes a "security by design" approach, which has implications for text messaging systems that connect to medical devices or transmit information related to them.

Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions states, "... cybersecurity threats to the healthcare sector have become more frequent and more severe, carrying increased potential for clinical impact. Cybersecurity incidents have rendered medical devices and hospital networks inoperable, disrupting the delivery of patient care across healthcare facilities in the U.S. and globally. Such cyber attacks and exploits may lead to patient harm as a result of clinical hazards, such as delay in diagnoses and/or treatment."

The guidance continues, "Increased connectivity has resulted in individual devices operating as single elements of larger medical device systems. These systems can include healthcare facility networks, other devices, and software update servers, among other interconnected components. Consequently, without adequate cybersecurity considerations across all aspects of these systems, a cybersecurity threat can compromise the safety and/or effectiveness of a device by compromising the functionality of any asset in the system."

NIST cybersecurity framework in healthcare

The National Institute of Standards and Technology (NIST) Cybersecurity Framework has been widely adopted in healthcare. The framework's five core functions—Identify, Protect, Detect, Respond, and Recover—provide a structured approach to securing messaging systems.

In 2024, NIST updated its guidance specifically for healthcare entities, emphasizing the importance of:

1. Conducting thorough risk assessments for all communication channels
2. Implementing multi-factor authentication for messaging platforms
3. Ensuring proper encryption for data in transit and at rest
4. Establishing clear incident response protocols for messaging-related breaches

Security rule compliance approaches

Karasz, Eiden, and Bogan describe two potential approaches for healthcare organizations to implement text messaging while addressing HIPAA requirements:

1. Excluding protected health information: "Text messaging to send health information can be implemented in a public health setting through... restructuring text messages to remove personal health information."
2. Complying with the security rule: Healthcare organizations can send messages "retaining limited personal health information in the message but conducting a risk analysis and satisfying other requirements to meet the HIPAA Security Rule."

For organizations pursuing the first approach, the researchers found that "stripping PHI from health messages can reduce the simplicity and clarity of the intended message," potentially undermining the effectiveness of the communication.

For the second approach, under the Security Rule, a covered entity must "conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity."

Learn more: Introducing HIPAA compliant texting API by Paubox

Implementation challenges

Karasz and colleagues note, "Along the continuum from provider to telecommunications system to end user, our analysis revealed potential vulnerabilities and risks that PHI could fall into the wrong hands every step of the way."

They identified three categories of risks:

1. Risks wholly controlled by the covered entity
2. Risks over which a health department has limited control
3. Risks in sending text messages over which the health department has no control

The researchers point out, "Although encryption is a feasible option when sending PHI via email, it is not a realistic option for text messaging given the current state of technology."

This creates a significant compliance challenge, as "covered entities could choose to contract only with vendors with adequate security measures in place... [but] there are risks in sending text messages over which the health department has no control."

Karasz and colleagues also note that, "Currently, there is a lack of clear and specific guidance on how health entities can use text messaging that contains PHI... It would be helpful if the HHS Office of Civil Rights or another interested federal agency issued guidance outlining which alternative measures to encryption and mitigation strategies would enable health departments to meet the transmission security standard."

They specifically recommend that "the federal government take steps now to clarify how health departments can reasonably use text messaging to send protected health information. Text messaging is a technology that reaches the vast majority of US adults and has the potential to be a powerful tool to improve health and well-being."

Best practices for healthcare organizations

1. Conduct regular risk assessments: Evaluate messaging practices as part of security risk assessments, identifying vulnerabilities and implementing appropriate controls.
2. Develop clear policies: Establish and enforce policies for secure messaging, including appropriate use cases, prohibited practices, and security requirements.
3. Implement technical safeguards: Have HIPAA compliant messaging platforms with appropriate security features, including encryption, access controls, and audit capabilities.
4. Provide training: Ensure all staff understand the importance of secure messaging and know how to use approved platforms correctly.
5. Monitor compliance: Regularly audit messaging practices to ensure compliance with policies and regulatory requirements.
6. Stay informed: Keep above evolving regulations and technological developments that may impact secure messaging requirements.
7. Prepare for incidents: Develop and test incident response plans specifically addressing messaging-related security breaches.

FAQs

What is HIPAA compliant text messaging?

HIPAA compliant text messaging involves using secure messaging platforms that encrypt messages, control access, and provide audit capabilities to protect patient health information (PHI).

Does Paubox offer HIPAA compliant text messaging?

Yes, Paubox provides HIPAA compliant text messaging solutions that include encryption, secure delivery, and features that help healthcare organizations meet regulatory requirements.

Why is HIPAA compliant text messaging important for healthcare providers?

It ensures the secure transmission of sensitive health information while complying with privacy regulations to protect patient data and avoid potential penalties.

How does encryption work in HIPAA compliant text messaging?

Encryption secures the contents of messages, guaranteeing that even if intercepted, the information remains unreadable without the proper decryption keys.

What are the legal consequences of non-compliance with HIPAA for text messaging?

Healthcare organizations that fail to comply with HIPAA's text messaging rules may face substantial fines, lawsuits, and reputational damage for mishandling protected health information (PHI).