Five Essential Considerations In Choosing A Secure Text Messaging Service


It’s crunch time. With just over two weeks until the Sept 23rd HIPAA Omnibus deadline, as the CIO of healthcare provider facility you’ve come to discover that a number of your physician and nurse providers have been communicating with one another over standard text message, exchanging information in a HIPAA noncompliant manner. However, there’s still time before these events turn into reportable breaches, so you decide to implement a secure text messaging application. What are the most important features you must take into consideration in choosing a vendor?

1. Peer-to-Peer Encryption
Any secure text messaging service is better than nothing, but not all services are created equal. A P2P encryption infrastructure ensures that PHI is only being sent directly from user to user, cutting out the middle man vendor server. Using a cloud-based, decrypt-store-re-encrypt service leaves your stored PHI at the mercy of your vendor’s security controls.

2. Data Archiving
Just because you use a P2P encryption product doesn’t mean that you can’t store your own data. The best secure text messaging services give their users complete control over their data, allowing them to store messages in their own data center or cloud. This sort of data can provide all sorts of benefits to a CIO, from provider benchmarking information to even medical malpractice defense evidence.

3. Read Confirmation and Time Stamps
These features add two essential benefits: usability and compliance protection. Read receipts ensure that urgent information was communicated to the recipient, allowing the sender to take other actions if necessary. Moreover, in the event of a lost phone or other security incident, the ability to prove that the PHI-containing message was never read by a potential malicious third party is an essential component to a breach analysis.

4. Access Logs
Speaking of breach analyses, the new breach standard outlined in the HIPAA Omnibus Regulations requires the analyst to prove that PHI was not accessed by a third party. Proving a negative can be almost impossible, especially in the context of a lost phone with locally-stored PHI. However, if the secure texting application can provide access logs to the secured application, an analyst can easily show that PHI in question was kept safe. This can be all the difference in a multi-million dollar privacy lawsuit.

5. Intuitive Usability
Finally, a secure text messaging service will only be effective if your users decide to adopt it as a replacement to SMS. Therefore, usability is paramount. A simple interface goes a long way in achieving this, as do intuitive features such as group messaging and file attachment. A usable service not only keeps your providers happy, but it also helps getting your users to buy in and stop texting PHI.
About Richard Wagner, JD

With a background in healthcare data security and privacy, Richard provides qliqSOFT and its customers guidance on IT regulatory compliance issues. Prior to his time at qliqSOFT, Richard served as the compliance and security officer for a number of health IT and provider organizations. Richard has also consulted industry groups on regulatory issues, assisting the ILHIE on their efforts to create a statewide health information exchange and guiding the ABA eHealth Security subgroup in interpreting the recent HIPAA/HITECH Omnibus regulations. Richard has a law degree with a concentration in health law studies from the Saint Louis University School of Law.

This article can also be seen at