Telcoms Store SMS Text Message Details – Not HIPAA Compliant

As an extension to my previous post called “Texting is Not HIPAA Secure” I wanted to point out some data that Wired posted about Telcom’s SMS message retention policies.

The information was found in a Department of Justice document and I believe is a good illustration for why PHI should not be sent through traditional SMS text messaging. Here’s the chart that wired created showing the major Telcom providers record retention policies:

The top 2 sections are the most important when it comes to secure text messaging. Last I checked, the telcom servers weren’t HIPAA secure. Not to mention, I can’t say I’ve seen a Telcom provider sign a business associate agreement with a healthcare provider. Neither of things are likely to ever happen.

The challenge is that text message is so valuable in healthcare. It’s such a simple and flexible way to communicate between doctors, nurses, staff, HIM, etc etc etc. This is why I predict over the next year we’re going to see a huge uptick in adoption of secure text messaging by third parties. The technology is there. We just need wider spread adoption of it in healthcare.

About the author

John Lynn

John Lynn

John Lynn is the Founder of the, a network of leading Healthcare IT resources. The flagship blog, Healthcare IT Today, contains over 13,000 articles with over half of the articles written by John. These EMR and Healthcare IT related articles have been viewed over 20 million times.

John manages Healthcare IT Central, the leading career Health IT job board. He also organizes the first of its kind conference and community focused on healthcare marketing, Healthcare and IT Marketing Conference, and a healthcare IT conference,, focused on practical healthcare IT innovation. John is an advisor to multiple healthcare IT companies. John is highly involved in social media, and in addition to his blogs can be found on Twitter: @techguy.


  • Wouldn’t simply sending a SMS message without text be a violation? It “identifies the individual” via their cellular # which you were given in confidence as part of health information…
    And wouldn’t this be true with social networking? When friended, tweeted, etc. it also publically “identifies the individual” to others!

  • I assume you mean a text from doctor to patient? There’s some intricacies there to be considered, but it’s definitely on shaky ground even without the text. However, I was referencing doctor to doctor texting in the above thoughts. Then, the content of the text really matters. If they’re just saying, “I’ll be there in 10 minutes,” no issue. If they’re saying “John Smith was prescribed XYZ drug today.” That’s an issue with standard SMS text.

  • HIPPA and text messaging is pretty clear – it is a violation since standard SMS is not secure, the messages say on the servers and there are multiple copies of the messages throughout the system. The only way to do HIPAA compliant texting is to use a HIPAA compliant text messaging service that uses a secure network, encrypts the messages and provides for manual or auto delete such as Tigertext or one of the large MDM systems.

Click here to post a comment