Best Practices for Implementing HIPAA-Secure Texting 

Secure Texting

June 21, 2023
A female doctor sending a text inside of a brightly lit clinic.


  • Implementing HIPAA-secure texting is crucial for organizations seeking regulatory compliance and improving communication and workflow.  
  • To ensure success, clarify your goals and craft a compelling message, involve key stakeholders from IT, legal, and clinical departments, update and communicate policies, and create a robust implementation plan.  
  • By following these four best practices, organizations can harness the power of secure texting to enhance productivity, reduce costs, and provide a better experience for staff and patients.

You’ve been charged with leading the charge toward HIPAA-compliant secure texting. The technical setup is easy and can be done quickly. However, more work is necessary to ensure that you are getting the most out of your investment.   

Here are 4 best practices to help build and sustain momentum.    

1. Clarify Your Goals  

There are many benefits to secure texting. But what are the main objectives for your organization? What factors are you trying to impact? For most organizations, goals include one or more of the following:  


HIPAA regulations are certainly the primary reason organizations seek a secure texting solution. But it helps to document the specific risks you are looking to mitigate. For instance:  

  • Shift staff & physicians who are communicating now by text/SMS onto a HIPAA-compliant messaging platform.  
  • Streamline the HIPAA risk assessment process for mobile vendors by selecting a texting vendor.  
  • Having a Business Associate Agreement with your texting vendor.  


Successful communication is often a key factor in both reducing costs and improving patient outcomes. Documenting the details transforms this from a general goal into actionable (and measurable) objectives:  

  • Who will use this solution (e.g., doctors, nurses, call centers, on-call providers, certain departments)?  
  • What are the intended flows of communication (e.g., Doctor to Doctor, Nurse to Doctor, Call Center to Doctor)?  
  • How will those intended workflows be improved by the solution and what specific forms will those improvements take?  


Estimate the ROI (return on investment) for the proposed solutions by outlining the direct and indirect costs that will be impacted:  

  • Hard savings. What current costs can be eliminated or reduced? For example, are you replacing pagers or other organization-provided hardware with a BYOD (bring your own device) solution. Those hardware costs saved are direct costs.  
  • Soft savings. These savings are harder to document but also have impacts beyond pure cost reduction. Estimate the hours and service impact of reducing the number of phone calls/call backs needed to achieve a result. 
  • Cost of regulatory non-compliance. $45,000 per provider up to $1,000,000 per incident for PHI security breach.  

Once you have documented your goals, it’s time to craft your “key message.” This is a short statement that clearly explains these goals (or the top priorities if there are many) in a conversational way. This will be your “go-to” message or “pitch” as you talk to people about this project. Don’t forget to include the “why” — people are more likely to accept change when they understand the need for it.  

A group of doctors in a corner office lit up by natural light with their laptops open having a meeting.

2. Get Your Organization on Board  

If you haven’t already done so, you need to run your secure texting service of choice through some checks and balances to make sure it will work for your entire organization. Bring together a small team of end users and decision makers to validate the solutions from several perspectives, including:  

  • IT & Security  
  • Compliance & Legal
  • Clinical and support staff
  • Executive & Operations leaders  

It’s tempting to want to limit your conversations and meetings about your solution to get it off the ground more quickly (or so you think). But nothing delays implementation longer than an unforeseen requirement or resistance from cross-functional teams. Taking the time at the start of your project to get the right people on board is actually the best way to ensure an on-time and successful rollout. This process can also help you lay the foundation of your implementation plan, by getting opinions on factors such as:  

  • Will you need to restrict access to any specific users or groups?  
  • Should the solution be purely mobile or mobile with a desktop interface as well?
  • Should it be rolled out initially in small groups or organization-wide? 
  • Which group/team should be my test unit or pilot? Pick a group who is excited about the technology and ideally is well-respected in the organization
  • Implement active directory integration to reduce barriers to use.  

3. Update and Communicate Your Policies  

Your secure texting policy needs to cover things like:  

  • If BYOD is allowed, what devices are approved or excluded? Is any operating system or additional security downloads required?  
  • All messages on the secure platform are the property of the organization and can be accessed, read, deleted or otherwise used by the organization.  
  • All messaging needs to be secure (text, images, files, etc. all need to be transmitted on the secure platform. Staff may not use unsecure SMS texting for organization use).  
  • What types of messages that are allowed/not allowed over the secure platform? For example, medical orders can be texted, but must be verified verbally as well.  
  • Will your organization allow the use of personal devices (“bring your own device” or BYOD) or will it supply devices to those who need it.
  • When and how should users report a lost or stolen device (so that remote lock & wipe can be activated)? 
  • How long will messages be retained on devices and in the system? How should older messages be retrieved if needed? 
  • Do your use cases need EHR integration to upload patient forms and pictures into the medical record?  

4. Supercharge Your Implementation Plan  

IT teams are often used to rolling out backend solutions or changes that few people will notice or care about. This is NOT one of those solutions. Texting is personal, it’s social and everyone will be talking about it. So make sure the rollout of secure texting is successful by super-charging your implementation plan.  


Set and communicate your planned go live date. Communicate the date, expected benefits and impact to the user.  

Of course, choosing a good date is also important. Plan around holidays and other events that compete for staff time and attention, such as an EMR implementation or upgrade.  

Consider whether to roll out group-by-group or organization-wide. Either way, it’s best to first complete a “pilot” rollout to one small group as a learning experience. Then proceed with either a phased or organization-wide rollout.  

A doctor standing by a window in the hallway of a clinic sending a text message.


Be sure that all users have downloaded the app and are familiar with how to personalize their device. For example:  

  • Uploading a profile picture  
  • Setting the users default presence. For example, do you want sound notifications? Do you want messages forwarded to another number while you are away?  
  • Personalizing notifications, sounds and alerts to each user’s preference  
  • Setting your login preferences, whether that be a login or biometric marker  
  • Establish a plan to train and set expectations for new hires.

Plan for training that includes both product training and policy changes. Plan for the initial go live in addition to how you will train and set expectations new groups and new hires. 


Once your first group and use cases go live, closely monitor users for the need to provide targeted training and support. Superusers will naturally develop. Celebrate these people and use them as mentors for new hires. Capture stories of how secure texting is impacting staff and share these stories widely. 


As your initial group settles into their new routines and workflows, look for additional uses. This can include:  

  • Coordinating patient throughput  
  • Sharing diagnostic results and images  
  • Expediting code responses  
  • Building messaging templates to address common needs  
  • Communicating bed readiness
  • Dispatching remote staff
  • Expediting data processing from remote staff
  • Enabling GPS tracking staff and remote distress signaling
  • Communicating and managing on call staff assignments including automatic call routing and shared calendars
  • Capturing and uploading consents
  • Speeding onboarding
  • Expediting referrals
  • And much more…..  

Regardless if you are a hospital, ambulatory clinic, or a post-acute organization, HIPAA-secure texting can dramatically reduce phone calls and improve team communication and collaboration, improving the experience of both your staff and patients. 

The Author
Bobbi Weber

Bobbi is a lifelong learner who is passionate about enabling healthcare transformation. She has 20+ years of healthcare experience in care delivery, consulting, healthcare IT, and market strategy.

Want our blogs in your inbox?
Subscribe for more!

Thank you!
Oops! Something went wrong while submitting the form.