Sharing patient information through texts is not prohibited by law, but providers must take steps to mitigate “reasonably-anticipated risks,” a biomedical expert explained in a recent online issue of JAMA.

A combination of patient deidentification and use of all available security features can ensure that providers comply with Health Insurance Portability and Accountability Act (HIPAA) requirements.

“Although some statutory elements may be interpreted to prohibit text messaging on personal mobile devices, texting to communicate health information is neither explicitly prohibited by [Health and Human Services] nor illegal in the United States,” notes Brian Drolet, MD, assistant professor in the department of plastic surgery and biomedical informatics and a researcher at the Center for Biomedical Ethics and Society at Vanderbilt University Medical Center in Nashville, Tennessee.

Continue Reading

Dr Drolet points to the inevitability of texting of clinical information communication, citing studies that show that up to 80% of physicians use that method to share clinical information. Although HIPAA articulates general standards for the security and privacy of protected health information, it provides no “meaningful compliance standards” for text messaging, says Dr Drolet.

“HIPAA merely requires that covered entities [eg, clinicians, staff and organizations] address security by identifying ‘reasonably-anticipated risks’ of breach and creating mitigation strategies,” says Dr Drolet.

He suggests that this can be done in two ways: by employing comprehensive security measures and by deidentifying information so that it no longer requires protection under HIPAA.

“[S]ecurity rules can include strong passwords, remote deactivation capability for lost or stolen devices, message and operating system encryption and disabling message preview to avoid unintentional disclosures,” explains Dr Drolet.

Additionally, HIPAA’s Safe Harbor Method exempts information from requiring protection if it is deidentified. HIPAA lists 18 types of patient identifiers that must be removed in order to meet this requirement — including names, initials, serial numbers, medical device identifiers, and web universal resource locators (URLs), among other identifiers. The downside to deidentification is that it may be challenging to recognize which patient is being discussed, leading to a risk of miscommunication, Dr Drolet says.

Nevertheless, the efficiency and convenience of text messaging medical information outweighs these limitations, he notes.

“Although text messaging does not work in every situation or for every practice, [it] provides unprecedented convenience and accessibility for both patients and clinicians who agree to use this form of communication,” Dr Drolet writes.

To continue enjoying the benefits of this medium, the author urges providers to practice ongoing stewardship.

“If clinicians do not respect the privacy of health information, they betray the trust of patients, and this could lead to regulatory changes to the detriment of a common and effective means of communication,” he concludes.


Drolet BC. Text Messaging and Protected Health Information: What Is Permitted? JAMA. 2017. doi:10.1001/jama.2017.5646 [Epub ahead of print]