According to Tiger Text, HIPAA compliant messaging is “a means of secure communication by which healthcare organizations and other associated businesses can safeguard electronic protected health information (ePHI) while facilitating an open flow of sensitive patient information between authorized users.”But, according to Megan Hardiman and Terry Edwards, there is no such thing as HIPAA compliant messaging in a paper published May 2013, “Clarifying the Confusion about HIPAA-Compliant Texting”. Employed by Katten, Muchin, and Rosenman, LLP and Perfec Serve, respectively, HIPAA security rule compliance requires a system of physical, administrative and technology safeguards that support the HIPAA compliant use of electronic communication. They contend that appropriate safeguards must be in place to ensure the privacy and security of PHI (protected health information) communications.


In fact, text messaging represented only a small sliver on the pie chart representing the different modalities used to communicate at a 364 bed hospital that generated close to 200,000 outbound communications to physicians annually. Included in the modes of communications were voice calls, secure voice and text messages, SMS text messages and alpha/numeric pages. The Department of Health and Human Services (HHS) was required in 1996 to create standards for the use and disclosure of protected health information and address the security and privacy of such information. The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 amended those provisions. Among the changes by HITECH, there were extended direct liability for HIPAA violations to business associates that strengthened the penalties for violations and enhancements to the enforcement environment. The final rule became effective March 26, 2013 with a compliance deadline of September 23, 2013.

According to Tiger Text, using HIPAA secure text messaging solutions, system administrators can monitor access to encrypted ePHI and any transmission of sensitive patient information and the healthcare facilities who use HIPAA compliant messaging to keep communications safe and comply with regulations through apps for secure messaging. They also have found that it enhances employee workflows, increases productivity and raise the standard of patient healthcare. The Final Rule requires covered entity (CE) to notify HHS of breaches that represented significant harm to individual from unsecured PHI. Organizations must demonstrate through a risk assessment a low probability for breaches. This means that CEs and their business associates must implement appropriate physical, administrative and technical safeguards are needed to ensure confidentiality and integrity of all available ePHI it creates, receives, maintains or transmit.


Administrative safeguards include both conducting risk analyses and staff training. Other effective safeguards include ensuring locked locations for network servers and technical safeguards such as encryption and the use of secure passwords. Senders must know for certain that their messages are received by the intended recipient and the recipients must know for sure the messages they receive are from an authorized medical representative.