Dear Midwife: Here's why text messages are not HIPAA-compliant

By: Facundo Gauna (Founder/CEO)

Adhering to HIPAA compliance can be overwhelming for solo providers and small practices who must also run the operations of a business. Understanding and applying regulatory requirements requires extra time and effort for out-of-hospital midwives who don't have the vast resources available in hospital systems. However, adhering to these compliance requirements will help increase client trust and avoid potential security and privacy issues. This article will cover why text messages are not HIPAA-compliant, and how you can use them in a compliant way with some work.

Note: This article has been reviewed by a HIPAA third-party consultant for its accuracy.

Before we get started

In this article, we assume you're an out-of-hospital midwife who runs a solo practice or is part of a group practice. If you're a different healthcare provider, we hope you find this relevant, valuable, and, most likely, still applicable. Having a basic understanding of HIPAA compliance requirements will be helpful.

Why are text messages not HIPAA compliant?

Text messaging poses several challenges in terms of HIPAA compliance:

  • Lack of Encryption: Standard text messaging lacks encryption to protect Protected Health Information (PHI). Many times, when data is encrypted in your phone, it means that only a certain application can access that data. Text messages are not encrypted on your phone. Text messages are just files on your phone; if someone broke into your phone, they could download your text messages.
  • Inadequate Authentication and Access Control: There needs to be more adequate control in verifying the identities of individuals involved in a text conversation, raising the risks of sharing PHI with unauthorized parties. This is what HIPAA calls for. For example, let's say you're a business owner and run a birth center with multiple midwives. If you were to part ways with a midwife and they were no longer employed, you would be unable to remove their access from specific patient conversations because they're stored as text messages.
  • No Audit Trails: Regular text messaging does not provide audit trails, which are crucial for tracking access to and disclosure of PHI and it' another HIPAA requirement. Here's a real story: A midwife's practice was subpoenaed for a court case of a client vs. their employer. The midwife’s practice was a witness. The defense team was trying to build a recollection of events and evidence for the case, and there were hundreds of text messages. The best way to gather the evidence and establish the order of events was to record a screen capture video of the midwife scrolling through their text message conversation. Wouldn't it be better to download the audit of what was sent and when so that it could be professionally submitted to the court of law?
  • No Control Over PHI Distribution: Once PHI is sent via text, there's no control over its redistribution, potentially leading to the unauthorized sharing of sensitive and protected health information. In other words, once you send the text, you can't un-send it. Another example is that you can copy text messages. If you can copy someone else’s text message, you can efficiently distribute its contents to someone else. A HIPAA-compliant app would help you distribute that information to whoever is authorized without having to trust people to copy and paste or take screenshots of conversations.

How to be HIPPA-compliant with text messages?

HIPAA compliance always applies when discussing, storing, and accessing Protected Health Information (PHI). Figuring out the best time to schedule an appointment is not considered PHI or sensitive information unless there is additional information about an individual’s past, present, or future physical condition and specific identifiers are involved in the process. These can include email addresses, phone numbers, or dates of birth.

If you or your client wants to use text messages to exchange information, it is acceptable under certain conditions. You must start with informed consent. For example, you could say this to your client when they start care:

Hello [Client's Name], this is [Your Name] from [Your Practice]. For secure communication regarding your care, we prefer using [other solution], which ensures the confidentiality and safety of your health information. However, if you find text messaging more convenient, we can accommodate this. Please be aware that standard text messaging is not secure for discussing sensitive health information. There are risks, such as unauthorized access or interception. If you choose to proceed with text messaging, it's important to understand and accept these risks. Please reply confirming your preference and, if you opt for text, your acknowledgment of these risks. Thank you!

Other Drawbacks Beyond HIPAA Compliance

Beyond compliance issues, other challenges make client management more difficult.
For example:

  • Lack of boundaries - Once the client has finished their care with your practice, they can continue asking for medical advice for years. Also, there is often no ability to schedule messages, meaning anxious and sleepless mothers can text you in the middle of the night with non-urgent messages.
  • You can't schedule-send (iOS) - If you're up all night because of a birth, you can't be productive and schedule messages for your other clients.
  • You can't broadcast messages - Have you tried to cancel a busy clinic day because you're at birth and no one can cover? Don't you wish to say - "Clinic is canceled."
  • Tedious to answer the same question over and over again - Have you found yourself answering the same question over and over again over text? You could go to other conversations and copy and paste, but sometimes, that can take just as long to find the message you want to copy. Could you send a templated message or an informative PDF/video?
  • No read receipts - Have you sent someone a critical and time-sensitive message, but you need to know if they read it? Is it hard to go about your day when that is in your mind?
  • Clients forget - They forget about your vacation, and they forget to contact the backup midwife. They also forget you're busy because you're running the clinic even though they don't have an appointment that day.

We're building a better way.

HIPAA-compliant means meeting all HIPAA Security and Privacy Rule requirements. At Hello Midwife, we're building a HIPAA-compliant messaging app that can help you lessen stress and take off some of the mental load you might have. Midwifery is full of burnout, and we want a difference for the people who give so much of themselves.

We hope you found this article helpful, even if you're not a midwife.

If you're interested in Hello Midwife, click here to start your free trial!