Is SMS HIPAA compliant?

Updated: 06/04/2024

Question

Is SMS HIPAA compliant?

Applies To

  • SMS
  • HIPAA

Answer

SMS messaging is not HIPAA compliant. The SMS protocol does not meet HIPAA compliance requirements.
The following are the most common issues preventing the use of SMS in a HIPAA compliant environment:
  1. SMS messages are not encrypted,
  2. SMS messages cannot be recalled if sent to the wrong recipient,
  3. SMS messages can be intercepted on public Wi-Fi networks,
  4. SMS messages are unaccountable,
  5. SMS does not have an automatic logoff facility,
  6. Copies of SMS messages remain on the servers of service providers indefinitely.
Given the nature of SMS messaging, the only resolution to these issues is to exclude any PHI from messages sent in SMS format. Also note that the HIPAA regulations for SMS also apply to other messaging services such as WhatsApp and iMessage, and to emails as well.
Though HIPAA regulations for SMS do not specifically prohibit the use of a Short Message Service to communicate Protected Health Information (PHI), they do stipulate that certain conditions have to be in place before using SMS to communicate PHI is HIPAA compliant.
A number of third parties provide ‘secure messaging’ services and products which are intended to provide HIPAA compliant messaging.