This content is part of the Essential Guide: Guide to healthcare compliance resources and agencies

Essential Guide

Browse Sections

SMS doesn't translate to secure messaging in healthcare

Strict healthcare privacy rules make SMS messaging a tough sell to care providers. More secure messaging is needed to meet their expectations.

An estimate from 2010 put the number of Short Message Service messages sent that year in the range of 6.1 trillion, which contributed $114.6 billion to the global economy. Recently, these numbers have been challenged by competing systems such as Apple's iMessage and BlackBerry Messenger. Despite their popularity, the limitations of SMS and other consumer-grade messaging services make them a bad fit for secure messaging in healthcare.

Although Short Message Service (SMS) can be a quick and effective way to communicate, there are definite drawbacks to the use of SMS and similar messaging services when used for purposes beyond quick greetings. In addition to being limited to 160 characters in a single SMS message, delivery of an SMS message is not guaranteed. Many SMS subscribers have no way to reliably confirm delivery. That leaves users vulnerable to sending messages that contain health information that can be intercepted, read by and forwarded to anyone. Such messages may also remain unencrypted on the servers of telecommunication providers, and persist indefinitely on senders' and receivers' phones. Many of today's physicians are eager to accommodate their patients through electronic communication, but are aware of the privacy considerations that must be addressed first.

According to an article from the American Society of Orthopaedic Surgeons, hospital accreditor The Joint Commission has "effectively banned physicians from using traditional SMS for any communication that contains ePHI [electronic protected health information] data or includes an order for a patient to a hospital or other healthcare setting." According to the article, a single violation involving unsecured communication can result in a fine of $50,000, and "repeated violations can lead to $1.5 million in fines in a single year, not to mention the reputational damage done to an organization and its ability to attract patients." Clearly, alternatives to SMS for medical purposes should be examined.

Apple's iMessage is one of a number of other messaging systems that are growing in popularity. Apple's iMessage works on a similar premise as SMS, but differs in that it "relies on Apple's messaging system to intercept a text message sent to another iOS device and re-routes it through its servers rather than sending it via the wireless carriers as a standard SMS or MMS message" according to an explanation from mobile tech site Re/code. Even iMessage's system has experienced delivery and reliability issues as of late, with iMessage users experiencing message routing glitches after switching to phones with a different operating system. 

Introduction to secure messaging

A safer alternative that can be used in healthcare is secure messaging. The goal of secure messaging in healthcare is to enable patients and their providers to electronically communicate both privately and securely.

Similar to other messaging services, secure messaging utilizes a server-based approach which enables "secure and protected transmission of information between patients and their providers, including clinicians and their support staff," according to an article on the Health and Resources and Services Administration (HRSA) website.

The website provides further details of the secure messaging framework, stating that it is "built around existing communication tools such as the patient portal, secure email and the [personal health record] PHR." The article also clarifies that correspondence can be initiated by the patient or the provider, is sent live, and can consist of structured, unstructured or mixed-format content.

Securing a messaging service

Because privacy and security are essential when engaging in healthcare-related messaging, providers must take extra precautions to keep the information safe. Secure messages employ bidirectional encryption of point-to-point delivery of messages, are stored on a secured network server, and ensure delivery to a single known receiving entity.

According to Australia's National E-Health Transition Authority (NEHTA), three basic tenets of secure messaging are that it:

  • Prevents unauthorized interception of the message content;
  • Provides verification that the message has not been altered since it was sent; and
  • Provides system notification of successful delivery.

According to an AAOS report, to assist in the development of compliant messaging systems, The Joint Commission has established Administrative Simplification Provisions that outline four major areas that are critical to compliance:

  • Secure data centers -- Patient information is usually stored in data centers that are on-site or cloud-based, and HIPAA requires that the data centers have high-level physical security and policies for regularly conducting risk assessments and reviewing controls.
  • Encryption -- Electronic personal health information must be encrypted in transit (bidirectionally) and while in storage.
  • Recipient authentication -- All communications of electronic personal health information must reach (and onlyreach) its intended recipient, and should inform the sender when a message has been delivered and received.
  • Audit controls -- Any compliant messaging system must also have the ability to create and record an audit trail of all activity that contains ePHI [electronic protected health information]. For a text messaging system, this includes the ability to archive messages and information about them, to retrieve that information quickly, and to monitor the system.

Secure messaging in healthcare

Secure messaging is experiencing increased use in healthcare. Possible healthcare applications range from making (and confirming) medical appointments and asking medical questions to discussing treatment options and sending medical device readings (such as blood pressure) to a care provider. Secure messaging applications expedite processes that formally were handled over the phone and avoid the compliance issues presented by default SMS programs.

A benefit of secure messaging, according to HIMSS, is that it "allows patients and healthcare teams to communicate non-urgent, health related information in a private and safe computer environment." Several specific examples cited by HIMSS regarding how secure messaging can be used include within the healthcare setting include:

  • Patient-clinician communication management;
  • Healthcare team management;
  • Message management; and
  • Patient services/clinical operations management.

It is important to recognize that secure messaging is not simply an email application, but a fully encrypted, secure system of communication. This enables secure messaging to be used in conjunction with other electronic or mobile health services.

According to NEHTA, some of the documented benefits of secure message delivery include:

  • It allows for the secure, encrypted exchange of sensitive clinical information and documents (including eReferrals and discharge summaries) and prevents the unauthorized interception of the private content contained within the message.
  • It reduces the use of paper-based correspondence resulting in less time wasted searching for clinical information and investigations, resending or chasing referrals, and performing other miscellaneous activities (such as scanning, printing, filing and posting).
  • Confidential patient correspondence is seen only by the treating clinicians (no scanning of documentation is necessary).
  • Notification of the successful delivery of messages, allowing the sending party to know that a message has been successfully received (and decrypted) by the proper receiving party.
  • It has the potential to improve the quality of clinical care through improved timeliness of the providers' receipt of clinical information.

As society becomes increasingly digitized, consumers expect the convenience of digital communications to extend to healthcare. Given the popularity and convenience of consumer-grade messaging services on mobile devices, there are obvious opportunities to transform both provider-to-provider and patient-provider communications in healthcare. Healthcare organizations need to be observant of regulatory requirements and technical considerations in order to protect individuals' electronic health information, to ensure the efficient electronic provider-provider and patient-provider communications do not succumb to faulty practices and overwhelming security concerns.

About the author:
Trevor Strome, M.S., PMP, leads the development of informatics and analytics tools that enable evidence-informed decision making by clinicians and healthcare leaders. His experience spans public, private and startup-phase organizations. A popular speaker, author and blogger, Strome is the founder of, and his book, Healthcare Analytics for Quality and Performance Improvement, was recently published by John Wiley & Sons Inc.

Next Steps

CPOE secure texting banned under Joint Commission rules

Providers using SMS to send appointment reminders to patients

Call centers incorporating HIPAA-compliant texting into their routines

Monitoring texting and social media habits for greater patient analysis

Dig Deeper on Mobile health systems and devices