Text messaging requirements for therapists

HIPAA requires therapists to use secure messaging platforms that encrypt and authenticate electronic protected health information (PHI). They must also obtain written patient consent, limit PHI to the minimum necessary, conduct risk assessments, and implement device security measures.

HIPAA Security Rule and text messaging

Protected health information (PHI)

HIPAA defines PHI as any "individually identifiable health information" held or transmitted by a covered entity or its business associate, including text messages with sensitive information. For therapists, any text communication involving PHI falls under HIPAA regulations.

Using text securely

The HIPAA Security Rule provides guidelines for safeguarding electronic PHI. Specifications relevant to text messaging include:

• Integrity controls: Measures must be in place to ensure the accuracy and completeness of electronic PHI during transmission and storage. For example, therapists can use message hashing to verify that messages have not been altered.
• Authentication: Verify the identity of users accessing electronic PHI. Therapists should implement strong passwords and multi-factor authentication (MFA) to ensure only authorized individuals can send or receive messages.
• Encryption: Encrypt electronic PHI both during transmission and when stored, ensuring that even if a message is intercepted, it cannot be read by unauthorized parties.
• Transmission security: Therapists should use secure messaging platforms with encryption and other security features to protect ePHI during electronic transmission over open networks.
• Audit controls: Recording and monitoring access to ePHI helps detect and investigate potential security breaches. Therapists should maintain logs of all text communications.

Risk assessment and management

Therapists should conduct a risk assessment to identify potential threats and vulnerabilities to ePHI related to text messaging. Risks or vulnerabilities may include unauthorized access, device loss or theft, and insecure storage practices.

After conducting the risk assessment, therapists can determine if additional safeguards are needed. 

HIPAA Privacy Rule and text messaging

Patient authorization

Therapists must obtain written authorization from patients before using text messaging to communicate PHI. This consent should clearly outline:

• The purpose of using text messaging (e.g., appointment reminders, check-ins).
• The potential risks associated with texting, include the possibility of unauthorized disclosure.
• The patient’s right to revoke consent at any time.

Read more: Obtaining patient consent for text message communication

Minimum necessary rule

The minimum necessary rule mandates that therapists only include necessary details in text messages. 

Device security considerations

• Strong passwords: Use complex passwords and implement password management policies.  
• Encryption: Ensure devices have encryption enabled for stored data.
• Remote wipe capabilities: This feature allows therapists to erase ePHI from lost or stolen devices, protecting sensitive information.

Staff training and awareness

Regularly train staff on HIPAA regulations and secure messaging practices. Education should cover the importance of confidentiality, the potential risks of text messaging, and best practices for compliance. 

Business associate agreements (BAAs)

When using third-party vendors for secure messaging, therapists must establish BAAs. These agreements ensure that vendors comply with HIPAA regulations and adequately protect ePHI. 

Related: What is the purpose of a business associate agreement?

FAQs

Can therapists use regular texting apps with clients?

No. Regular texting apps typically lack security features, like encryption, required for HIPAA compliance when transmitting PHI.

How often should therapists review their text messaging policies?

Therapists should review their text messaging policies at least annually or whenever there are significant changes in technology or regulations to ensure ongoing compliance.

Can text messages be used for emergency communication with clients?

Text messaging should not be relied upon for emergency communication due to potential delays and the lack of immediate response; clients should be advised to call emergency services instead.