Legal, ethical, and practical risks
IN TODAY’S VERY fast-paced healthcare environment, convenience often drives communication choices. Text messaging, with its immediacy and simplicity, may seem like an efficient way to connect with patients and colleagues. However, medical providers must be aware that texting patients, other providers, and business associates, especially when it involves protected health information (PHI), can expose them to significant legal, ethical, and professional risks. This article outlines why standard text messaging is problematic and why secure messaging through platforms like Epic or other electronic medical records (EMRs) is the safer, smarter alternative.
Text Messages Are Discoverable in Legal Proceedings
One of the most overlooked risks of texting patients, colleagues, or even family and friends, is that these messages are discoverable in court. In both civil and criminal cases, courts routinely admit text messages as evidence. Whether the communication occurred on a personal or work device, if it pertains to patient care or medical decision-making, it can be subpoenaed and scrutinized.
Text messages can be used to establish intent, demonstrate negligence, or support malpractice claims. Even deleted messages may be recoverable through forensic analysis or service provider records. Healthcare providers should assume that any message could one day be read aloud in a courtroom.
HIPAA Compliance
The Health Insurance Portability and Accountability Act (HIPAA) sets strict standards for the protection of PHI. Standard SMS texting platforms—such as iMessage, WhatsApp, or regular phone messaging—do not meet HIPAA’s technical safeguards. These platforms lack encryption, audit trails, and access controls, making them vulnerable to interception, unauthorized access, and data breaches.
HIPAA does not explicitly prohibit texting, but it requires that any electronic transmission of PHI be secure. This includes:
- Encryption during transmission and at rest
- Access controls to ensure only authorized users can view messages
- Audit trails to track who accessed or modified PHI
- Authentication protocols to verify user identity
Most consumer-grade messaging apps fail to meet these requirements. Even if a patient consents to receive texts, the provider remains responsible for ensuring compliance. A breach resulting from unsecured texting can lead to fines, lawsuits, and reputational damage.
Unsecured Communication: A Gateway to Data Breaches
Healthcare is one of the most targeted industries for cyberattacks. Insecure communication methods, like texting, can be exploited by malicious actors to gain access to sensitive patient data. According to recent studies, over 93% of healthcare organizations have experienced data breaches in the past five years.
Risks include:
- Interception of messages during transmission
- Loss or theft of devices containing unencrypted messages
- Forwarding of messages to unauthorized recipients
- Lack of control over message retention on third-party servers
These vulnerabilities not only violate HIPAA but also may compromise care quality.
The Illusion of Convenience
While texting may seem convenient, it often leads to fragmented communication. Messages sent via personal devices are not automatically documented in the patient’s medical record, creating gaps in clinical documentation. This can result in missed follow-ups, inconsistent care plans, and increased liability.
Moreover, texting lacks the structure and accountability of EMR-integrated communication. There’s no guarantee that the message was received, read, or acted upon. In contrast, secure messaging platforms offer read receipts, timestamps, and patient linkage, ensuring continuity and traceability.
Secure Messaging Through EMRs
EMR platforms like Epic’s Secure Chat or OnPage offer a HIPAA-compliant solution for clinical communication. Integrated directly into the EMR, these tools allow providers to:
- Communicate in real time with other clinicians and patients
- Attach messages to specific patient records
- Ensure encryption and access control
- Maintain audit trails for compliance
Epic Secure Chat, for example, is accessible via desktop and mobile apps (Haiku, Canto, Rover), and supports group messaging, patient-specific threads, and asynchronous communication.
Legal and Ethical Best Practices
To protect themselves and their patients, providers should adopt the following best practices:
- Avoid using personal devices for patient communication unless they are managed by Mobile Device Management (MDM) software.
- Do not send PHI via standard text messaging apps.
- Use secure messaging platforms integrated with your EMR.
- Document all patient communications in the medical record.
- Educate staff on HIPAA-compliant communication protocols.
- Obtain patient consent when using electronic communication and inform them of the risks.
- Regularly audit communication practices to ensure compliance.
Conclusion: Protecting Patients and Providers
Texting patients, colleagues, or business associates may feel like a shortcut, but it’s a risky detour from best practices. The legal discoverability of messages, combined with HIPAA compliance challenges and cybersecurity threats, makes unsecured texting a liability. Medical providers are far better served by using secure, EMR-integrated messaging platforms that protect patient data, streamline workflows, and ensure regulatory compliance.
By embracing secure communication tools, providers can uphold the highest standards of care while safeguarding themselves from legal and ethical pitfalls.
Christine L. Stanley is a healthcare law and medical negligence defense attorney with Sturgill, Turner, Barker & Moloney, PLLC. She can be reached at cstanley@ sturgillturner.com or (859) 255-8581. This article is intended as a summary of state and/or federal law and does not constitute legal advice.