How To Safeguard Your Practice When Texting

Are you violating HIPAA when texting? A CAP member recently posted this question to the Risk Management Hotline:

"Does CAP have any literature on what we are and are not allowed to send patients via text or is there someone I can talk to about texting?"

Consider the following 10 steps to safeguard your practice:

  1. Enable encryption on your mobile device.
  2. Have a texting policy that outlines the acceptable types of text communications and specifies situations when a phone call is warranted.
  3. Report to the practice’s privacy officer any incidents of lost devices or data breaches.
  4. Install auto-lock and remote wiping programs to prevent lost devices from becoming data breaches.
  5. Know your recipient, and double check the “To” field to prevent sending confidential information to the wrong person.
  6. Avoid identifying patient details in texts.
  7. Assume that your text can be viewed by anyone in close proximity to you.
  8. Ensure the metadata retention policy of the device is consistent with the medical record retention policy and/or that it is in accordance with a legal preservation order
  9. Ensure that your system has a secure method to verify provider authorization.
  10. When conducting your HIPAA risk analysis, include text message content and capability.

If you would like more information on how to protect your practice and not violate HIPAA Privacy and Security rules, download CAP’s list of HIPAA resources.

Always remember the Risk Management & Patient Safety Hotline is available to respond to your questions about a variety of risk and patient safety topics. The Hotline number is: 800-252-0555.


Authored by Joseph Wager, MS, RCP
Senior Risk Management & Patient Safety Specialist

Additional Resource

Hold the Phone! Risk Management Insights into the Perks and Pitfalls of Our Favorite New Mode of Communication: Text Messaging