7 Best Practices For Successful Secure Text Messaging

The ability for physicians, nurses and other members of a patient’s care team to communicate via HIPAA compliant secure text message on a mobile device has the potential to improve the efficiency and safety of patient care.

However, once providers send text messages containing patient protected health information, the healthcare facility exposes itself to risks. The sender may not know with certainty whether the message was received by its intended recipient. Text messages that lack encryption are not secure.

Your organization can face heavy fines and government penalties if healthcare providers send unsecure mobile text messages. Thus, as with any other technology or any other mechanism for providing care, it is important to have policies and procedures in place.

Here are seven best practices to have in place before allowing text messages to be sent or received by providers who work within your organization:

  1. Ensure all mobile devices are secure: It may seem obvious, but the first priority must be to ensure the security of every device used to send and receive mobile text messages that contain protected patient healthcare information. Has your healthcare organization identified all the mobile devices that providers are using within the organization? How are you keeping track of them?Your healthcare organization should have a policy that either forbids the use of personal mobile devices for work-related reasons, or which requires those mobile devices to be securely encrypted by your facility prior to being used for text messaging. Mobile encryption software is critical to reduce the risks associated with sending text messages on mobile devices, particularly when it comes to preventing unauthorized users from accessing a patient’s healthcare or financial information.
  1. Establish texting policies: In addition to encryption standards, it’s important to set guidelines for the type of healthcare information that may be shared via secure text message, who should send and receive such texts, and on which mobile devices. Will you allow providers to use mobile devices to access your EHR or other internal network or system? Will you allow providers to use their own personal mobile devices for texting purposes, even when they are away from your organization?
  2. Educate staff about your texting policies: Because violations of secure text message policies or the inability to put the safeguards in place can compromise patient safety, it is important that all healthcare staff involved with sending or receiving text messages be trained on the office’s texting policies, the types of content used in text messages and how to ensure that text messages containing healthcare information are sent securely.
  3. Use a third-party, HIPAA-proof, secure texting solution: DrFirst’s Backline secure text messaging app enables secure, encrypted communication between doctors, nurses and other healthcare providers. It connects your organization with healthcare workers inside and outside of your facility – even if they aren’t part of your organization.


Request A Demo To Learn More About Backline


  1. Establish a policy on whether to text allow providers to text patients: Patients are unlikely to have encrypted mobile devices, so a text sent to a patient may not be secure based on the patient leaving the mobile device unattended. As a result, the text message could be viewed by someone other than the recipient, and the provider might unwittingly compromise the patient’s privacy.
  2. Communicate your policy to patients: Whether or not patient communication is part of your texting policy, be sure to inform patients about how their healthcare information will be used. The texting policy can be part of the HIPAA acknowledgment that patients sign, and it is also the chance to let patients know that the healthcare provider takes patient security seriously and that only secure, encrypted text messages will be sent.
  3. Ownership of messages: It’s important to make clear that all messages transmitted by employees of your healthcare organization are the property of your organization and not of the individual providers who are sending receiving the messages.