Sending PHI Over SMS

I recently was talking with a doctor who told me about a healthcare communications company called YouCall MD. The doctor liked many of the features that YouCall MD provided. He loved that they would answer your Live Calls, transcribe a message to you and send you that message by SMS. Well, he loved all of it except the part that YouCallMD was using insecure SMS messages to send protected health information (PHI).

I wrote about this before in my post called “Texting is Not HIPAA Secure.” I know that many doctors sit on all sides of this. I heard one doctor tell me, “They’re not going to throw us all in jail.” Other doctors won’t use SMS at all because of the HIPAA violations.

While a doctor probably won’t get thrown in jail for sending PHI over SMS, they could get large fines. I think this is an even greater risk when sending PHI over SMS becomes institutionalized through a service like YouCallMD. This isn’t a risk I’d want to take if I were a doctor.

Plus, the thing that baffles me is that there are a lot of secure text message services out there. Using these services would accomplish the same thing for the doctor and YouCall MD and they wouldn’t put a doctor or institution at risk for violating HIPAA. Soon the day will come when doctors can send SMS like messages on their phones in a secure way and they won’t have to worry about it. I just think it’s a big mistake for them to be using their phone’s default SMS.

About the author

John Lynn

John Lynn

John Lynn is the Founder of the, a network of leading Healthcare IT resources. The flagship blog, Healthcare IT Today, contains over 13,000 articles with over half of the articles written by John. These EMR and Healthcare IT related articles have been viewed over 20 million times.

John manages Healthcare IT Central, the leading career Health IT job board. He also organizes the first of its kind conference and community focused on healthcare marketing, Healthcare and IT Marketing Conference, and a healthcare IT conference,, focused on practical healthcare IT innovation. John is an advisor to multiple healthcare IT companies. John is highly involved in social media, and in addition to his blogs can be found on Twitter: @techguy.


  • A friend of mine is an Android programmer who once gave me a really good idea of how insecure SMS is as a communication technology.

    With little more than an Android phone and his programming skills, he was able to write a script that would just listen to the messages going back and forth. The receiving side is encrypted, so he couldn’t read those, but the sending side is not, so he could read half of every conversation at the time.

    Of course, TCP/IP is quite similar. Every network device on a network hears and sees the traffic from every other network device. There’s a reason in networking that throughput tends to be about half of bandwidth.

    13,050 days

  • Tim,
    That’s exactly my point. SMS isn’t encrypted. However, there are many SMS like options out there that are encrypted and your friends script wouldn’t crack. In fact, there are even some free options for doctor too.

    Same applies to TCP/IP and is why all EHR vendors use encryption for all their communication. It’s not a hard problem to solve if people just do it.

  • I was agreeing with you. I thought it was helpful to offer a real live example of exactly what “insecure” can mean with SMS. 🙂

    Beyond the SMS topic, it’s less the transmissions of the information that make me nervous, and more the destinations that we assume are secure at the other end. And I’m not even talking about data breaches when I say that so much as figuring out why HITECH needed to expand HIPAA access and disclosure to 701,325 entities and 1.5 million business associates.

    13,050 days

  • That’s true. Encrypted doesn’t always mean secure. Although, it’s a big step in the right direction. You still have to secure the end points and ensure the identity of the sender and receiver, etc.

  • In addition to getting the information into and out of encryption, as you correctly raise here, I think he was also referring to the information when its encrypted itself. There are varying levels of encryption quality or difficulty, and a programmer can write code to directly decrypt the transmission with brute force.

    13,051 days

Click here to post a comment