888.996.6993 | 24/7 Support
BlogData SecurityGuide to HIPAA Regulation for Text Message (SMS), Phone Call and Email Communication 

Guide to HIPAA Regulation for Text Message (SMS), Phone Call and Email Communication 

Disclaimer: The information provided in this blog post is for general informational purposes only and should not be considered legal advice. Every legal situation is unique, and it is important to consult with a qualified attorney for personalized advice. No attorney-client relationship is formed by reading or accessing this blog post. While we strive to provide accurate and up-to-date information, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability, or availability of the information contained in this blog post. Any reliance you place on the information is strictly at your own risk.

In today’s digital age, healthcare providers and organizations need to navigate various regulations to ensure the privacy and security of patient information. One such important regulation is the Health Insurance Portability and Accountability Act (HIPAA), which governs the transmission of electronic protected health information (e-PHI). In this article, we will explore the HIPAA requirements for different types of communication, including text messages, phone calls, and emails.

HIPAA Security Rule and Encryption

In general, under the HIPAA Security Rule, covered entities and business associates must implement technical security measures to protect e-PHI during its transmission over electronic communication networks. While encryption is not explicitly mandated, it is considered an addressable standard. This means that covered entities and business associates need to assess the use of open networks, identify appropriate security measures, and implement encryption if deemed reasonable and appropriate. If encryption is not feasible, an equivalent alternative measure should be implemented and documented.

Email Communication and HIPAA

HIPAA does not prohibit the use of email for sending e-PHI, but it does require covered entities to implement policies and procedures to safeguard the integrity and protect against unauthorized access of e-PHI. If covered entities choose to send unencrypted emails containing e-PHI, they must inform patients about the associated risks and obtain the patient’s preference and consent for receiving unencrypted communication. In such cases, covered entities are not responsible for unauthorized access to protected health information during transmission or after delivery to the individual.

Text Messages and HIPAA

Similar to email, unencrypted text messages are considered equivalent to unencrypted emails under HIPAA. Covered entities must apply the same principles, including informing patients about the risks and obtaining their preference for unencrypted communication. However, it’s important to note that the HIPAA rules for unencrypted email and text communications only apply when they are sent to patients, not when they are sent from patients. 

Message Content and TCPA Considerations

Whether a message contains e-PHI or not for purposes of HIPAA will be a case-by-case determination based on the totality of the content in the message. However, alongside HIPAA, healthcare organizations must also consider the requirements of the TCPA when communicating via text messages, phone calls, or emails. The TCPA regulates telemarketing calls and messages and requires prior express consent for certain communications. Although a detailed discussion of the TCPA is beyond the scope of this article, it is essential to acknowledge its relevance and the need for compliance when engaging in various types of communication. 

Tailoring Consent and Compliance

Given the varying requirements of HIPAA and TCPA, healthcare providers can ensure compliance by obtaining a broad consent from patients to receive calls and unencrypted text and email messages. It is also 


Complying with HIPAA regulations is crucial for healthcare organizations when communicating with patients. The Security Rule and the option of encryption provide guidance on securing e-PHI during transmission, while HIPAA’s rules for email and text communications require informed patient consent. Additionally, considering the requirements of the TCPA is essential to ensure compliance in all types of communication. By understanding and adhering to these regulations, healthcare organizations can protect patient privacy and provide secure communication channels for their stakeholders.

Explore Icon’s HIPAA-Compliant Solutions today.

Leave a Reply

Your email address will not be published. Required fields are marked *

2045 W Grande Ave, Suite B
PMB: 20577
Chicago, IL 60612

© 2022 Icon.  All rights reserved.