Request a Demo

Reaction and Analysis: Office of Civil Rights Takes a Position on Text Messaging in Healthcare

If you ask a group of people that work in healthcare about whether texting is a compliant form of communication, you are likely to get a wide variety of answers: “you can,” “you can’t,” “you can, but no PHI,” “PHI is fine.” There has long been a desire for clarity on this grey and murky topic.  At HIMSS 2018, Roger Severino, Director of the US Department of Health and Human Services Office for Civil Rights (OCR), shed some much welcome light on compliance around healthcare texting.

Before we get to Severino’s comments, let’s address why everyone is so confused.

Two types of texting defined

There are two different types of texting that operate very differently and serve very different needs but are both commonly referred to as the same term, “texting.” The first type is what general consumers think of as texting, or Short Message Service (SMS) to use its technical term. This is the texting that is a default app on your phone and paid through your carrier that many people use to send and receive texts every day. It is unsecure. For clarity, I will refer to this as SMS. The second type is proprietary app based, with multiple different app providers. It is used by healthcare providers (mostly doctors and nurses) to communicate to one another on patient-related care inside and outside the walls of the health center. It can also be used by providers to communicate with patients provided the patient has downloaded and created an account for the app being used. It is secure. For clarity, I will refer to this as Secure Texting.

PHI and texting

Handling PHI through texting is the source of a lot of confusion and debate. Because of their Provider-to-Provider focus, Secure Texting needs to meet certain technical standards for HIPAA compliance:

  • encryption of message data in transit and at rest
  • reporting/auditability of message content
  • passcode enforcement
  • authentication
  • permissions management capabilities

With these safeguards in place, PHI of all risk levels can be communicated through that channel.

SMS is an unencrypted channel, so one might assume no PHI can be sent. Actually, that is not true. Encryption is not mandated. Instead healthcare companies must assess whether encryption is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting PHI. If encryption is not deemed reasonable and appropriate, the covered entity must implement alternative safeguards.

Because the SMS format is fundamentally incapable of encryption, companies have the discretion to make a case-by-case determination under HIPAA whether it is reasonable and appropriate for SMS texts to contain PHI.  A key factor is the nature of the PHI to be disclosed. Many healthcare companies are comfortable including low risk PHI in SMS texts, such as a patients first name, the fact the patient has a medical appointment, or has a medical condition (without specifying what the medical condition is). So, under current policy, while it is not explicitly defined, low risk PHI can be sent through the text channel within the boundaries of HIPAA guidelines.

The 2017 Clarification on Secure Texting and Patient Orders 

Since 2011, there has been considerable back-and-forth on whether Secure Texting can be used for communicating patient orders. In December 2017, the Joint Commission issued a clarification explicitly stating the use of Secure Texting for patient orders is prohibited. The document also recommended healthcare organizations should have policies prohibiting the use of SMS for communicating PHI. Expanding on this statement, the Joint Commission explained ‘Organizations are expected to incorporate limitations on the use of unsecured text messaging in their policies protecting the privacy of health information’ Joint Commission 2017. This position is in-line with the broader HIPAA Security Rule policy requiring healthcare organizations weigh the risks and benefits of sending unencrypted text messages.

The HIPAA Omnibus Final Rule

In 2013 the HIPAA Omnibus Final Rule allowed healthcare providers to communicate PHI with patients through unencrypted e-mail as long as the provider informs the patient that their e-mail service is not secure, gains the patient’s authorization to accept the risk, and documents the patient’s consent. This clarified the use of email for provider to patient communications. (Just to be clear providers cannot communicate PHI to one another using unencrypted e-mail).

Notably, the rule did not mention anything about SMS, which is somewhat frustrating as SMS is the most widely adopted communication channel by just about everybody. Some interpret the rule as applying to SMS as well because both are unencrypted electronic channels. Others want more clarity.

Clarity from OCR

Speaking at the HIMSS health IT conference in Las Vegas on March 6, Roger Severino, said that healthcare providers may share PHI with patients through standard (SMS) text messages. Providers must:

  • warn their patients that texting is not secure
  • gain the patients’ authorization
  • document the patients’ consent

Severino’s comments are yet to make it into policy, but the OCR has long-promised guidance on this topic. As the country is in a period of intense deregulation, it is reasonable to assume a ruling on the topic is imminent.

What does this mean for healthcare companies?

That depends on whether the healthcare company is already using SMS to reach and engage their patients. Many companies have well-established SMS programs. SMS has bubbled to the top as the most effective channel to engage patients about their health:

  • Increased chronic condition medication adherence from 30% to 44% in a non-adherent Medicare population read more
  • Reduction in members reporting they would use the Emergency Department for a minor condition from 11% to 4% read more
  • Reduction in procedural no-goes by 50%

Many healthcare companies are comfortable with the unencrypted nature of the channel and include PHI in line with their compliance department’s requirements. For these companies my advice would be to continue to drive as much value through the SMS channel while meeting current compliance guidelines. These companies will then be in a position to capitalize most when there is a change in policy that increases the breadth of use cases for which SMS can be used to engage patients and health plan members.

For companies that are not using the SMS channel to engage patients, I see this as clear notice that SMS is a channel where you should invest. 95% of the adult population uses the SMS channel and 98% of SMS texts are read. No other channel has that level of adoption and engagement. Because of this reach, the impact of the SMS on both clinical and administrative outcomes is well established and will only go up with policy that increases the breadth of use cases for which the channel can be used.

Docent Health Chooses mPulse Mobile to Scale and Deepen Their Personalized Healthcare Journeys

Docent Health’s patient relationship management platform leverages mPulse’s configurable and interactive text messaging solution to deliver personalized journeys and a customer experience that efficiently scales, helping health systems differentiate in the market.

BOSTON, MA – March 1, 2018 – mPulse Mobile, the leader in mobile health engagement solutions, and Docent Health, the industry leader in helping health systems manage and grow customer relationships, are pleased to announce their partnership. Docent Health recognized the value of interactive and targeted text messaging as an effective method to maintain a trusted channel of communication with patients at scale and turned to mPulse to incorporate their innovative mobile engagement technology into their communication strategy to drive engagement, retention, and customer advocacy.

Docent Health leverages multiple messaging capabilities from mPulse Mobile. By using a combination of real-time conversations, pre-scripted communications and responses, and rules based messaging triggered by a wide range of use cases e.g. time, date, recurrence and consumer profile, Docent Health is able to get consumers the right information at the right time and develop strategic campaigns that support patient engagement and growth strategies.

The result is a Docent Health designed messaging solution that achieves mission and growth oriented goals yet retains the sense of human touch and individualization that is so important in today’s consumer-centric world.

“At the core of Docent Health’s approach is connecting with patients early in their decision-making process, building awareness and conversion with prospective patients and continuing to build activation, loyalty, and advocacy throughout the customer relationship,” said Paul Roscoe Chief Executive Officer, Docent Health. “With the mPulse Mobile engagement solution, our customer-centric approach is extended and enhanced with the use of micro-targeted, personalized, and interactive text messaging.”

With 71% of Docent managed patients opting to have text messaging as their primary communication channel, Docent Health can scale interactions to the tens of thousands of patients they serve. Once embedded in their best-in-class experiences, Docent Health is driving a market-leading 46% click-through rate on links to key resources. This means digital communications are directly translating into patients feeling better supported; improving both patient education and customer engagement.

“Healthcare companies recognize the need to meet consumers where they are to improve patient activation and achieve their health and business outcomes,” said Chris Nicholson, Chief Executive Officer, mPulse Mobile. “Docent Health is a true innovator in raising the bar on delivering amazing patient experiences with integrating mobile engagement into their patient journey design.”

Healthcare providers and payers have been improving health and business outcomes with mPulse solutions for years and, more recently, innovative healthcare experience companies like Docent Health have turned to mPulse Mobile to fully realize the advantages of interactive text messaging to create powerful, tailored touchpoints that improve the consumer experience, drive engagement and streamline operations.

To learn more about Docent Health and mPulse Mobile at the upcoming HIMSS18 conference:

  • Join the session “Scaling a Customized Patient Experience” featuring Candice Monge, Chief Nursing Officer, Dignity Health’s Marian Regional Medical Center, and Royal Tuthill, Co-founder, Docent Health on March 6th at 8:30am in Palazzo B
  • Join the session “Tailored Conversations for Consumer Activation” featuring Chris Nicholson, CEO, mPulse Mobile on March 7th at 1:30pm in the Bellini Meeting Room
  • Visit or schedule a meeting with mPulse Mobile in booth #20 in the Connected Health Experience.


Docent Health is a healthcare experience company that helps organizations truly embrace and deliver a consumer-centric approach to healthcare. Docent’s tech-enabled service combines digital and human interactions to guide patients and accommodate their specific needs and preferences. With Docent, health systems can provide differentiated, empathetic services to their patients and referring providers, becoming a preferred destination for care and empathy. For more information, visit or follow us on Twitter and LinkedIn.