Beware of HIPAA-Related Text Messaging Risks, Warns LeClairRyan Attorney

Share Article

Recent blog post by Melissa (Lisa) Thompson offers tips to healthcare providers to safeguard patient confidentiality

Lisa Thompson

The important thing is to take affirmative steps right now to analyze the risk and manage texting, rather than considering the risks and implementing appropriate controls only after a problem develops

The ease, speed and efficiency of mobile device-based text messaging has made it a primary communications tool among doctors and other health care providers, covered entities, and business associates. But this convenience can also lead to security risks, cautions Melissa (Lisa) Thompson, a shareholder in national law firm LeClairRyan's Boston office.

“Unless preventive measures are employed, anyone with access to the mobile device will have access to the text message,” writes Thompson in a recent blog post at Information Counts, which focuses on the legal issues that arise from considerations of privacy, data security, information technology, outsourcing, e-commerce, the Internet and social media, cloud computing, big data and information management. “The text can be accessed when the device is lost, stolen, or even when it is returned or recycled. Additionally, the protections implemented by information technology and other departments of covered entities and business associates, such as firewalls, may not cover texts, which can be intercepted and decrypted.”

Issues like these fall squarely under federal HIPAA (Health Insurance Portability and Accountability Act of 1996), which not only protects patient information from being accessed, but requires certain patient health information (PHI), to be accessible to patients and their authorized representatives.

“When text messages are used in patient care decision-making, there is a potential risk of noncompliance if the provider is not able to accommodate the individual who requests access to their record,” adds Thompson, a member of the firm’s Healthcare and BioPharma & Life Sciences industry teams. “There is no single, easy answer when it comes to addressing texting concerns, but at a minimum, to satisfy the HIPAA-required risk analysis and management, a covered entity or business associate should include an analysis of mobile phones and other devices on which PHI and texts are created, received, maintained or transmitted.”

Healthcare entities can consider, among other options, adopting policies that require the deletion of all texts within a period of time, and using technology that can wipe information or remotely disable mobile phones if they’re lost or stolen, she advises. Other approaches include encryption and password protection, and implementing policies or guidelines limiting the type of information that texts contain: for example, not using patient names or other identifiers.

Thompson notes that organizations can also consider switching to secure messaging applications; requiring that texted PHI be added to the medical record, while providing a mechanism for doing so; and training workforce members about required texting policies and procedures. They should also impose sanctions for workforce members that violate the policies.

“Organizations may identify different levels of risk and institute different types and levels of controls,” writes Thompson. “Implementing controls related to texting can be difficult for an organization. The important thing is to take affirmative steps right now to analyze the risk and manage texting, rather than considering the risks and implementing appropriate controls only after a problem develops.”

She notes that the U.S. Department of Health and Human Services offers suggestions regarding mobile devices on its website.

To read Thompson’s full blog post, visit:

About LeClairRyan
As a trusted advisor, LeClairRyan provides business counsel and client representation in corporate law and litigation. In this role, the firm applies its knowledge, insight and skill to help clients achieve their business objectives while managing and minimizing their legal risks, difficulties and expenses. With offices in California, Colorado, Connecticut, Delaware, Georgia, Maryland, Massachusetts, Michigan, Nevada, New Jersey, New York, Pennsylvania, Texas, Virginia and Washington, D.C., the firm has approximately 380 attorneys representing a wide variety of clients throughout the nation. For more information about LeClairRyan, visit
Press Contacts: At Parness & Associates Public Relations, Bill Parness, (732) 290-0121,

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Bill Parness
Parness & Associates
+1 (732) 290-0121
Email >
Visit website