How To

HIPAA Compliance:#1 Factor In Choosing A Secure Messaging App

July 1, 2014 | Adam Turinas

Over the next few weeks, we will be sharing what we believe are key factors to consider in selecting a HIPAA-compliant secure messaging solution for care coordination. There are nine factors that we reviewed in this post and they are based on feedback from discussions with Health IT buyers.

First and foremost, the number one factor to consider is HIPAA compliance. Protecting patient health information (PHI) is not only good practice but it’s also a major risk for your organization.

As you evaluate the HIPAA compliance of secure texting solutions here are some critical issues to consider:

1. Messages are sent 256-bit encrypted – The single most important issue is that messages are encrypted in transit. A minimum of 256-bit encryption is standard.

2. Messages and other key data are encrypted at rest on applications. This means that if bad people break into the user’s phone they can’t read PHI.

3. Data is encrypted on server. Protecting you data with a secure firewall is a given. Many IT buyers are requiring the extra step of encrypting data on the server.

4. PHI is not viewable on app without a secure login to the app. This means that the app cannot be opened without a PIN or password but also that message notifications do not contain any PHI.

5. Two-factor authentication to add user to system. This means that a user cannot use your application without two ways of being authenticated. We do this by providing a validated user with a personal access code. They then have to set up a PIN on the app.

6. Authentication key is controlled by your admin, ie you have control over who has access to the app.

7. Messages are auditable. It is a key HIPAA requirement that any database of PHI can be audited on request.

8. All messages are erased after 24 hours or less. It is best practice to remove PHI from a user’s phone after 24 hours minimizing the amount of PHI in the app at a given time.

9. Admin can wipe a user’s app remotely to remove them from the system and any PHI in the app is removed.

10. Messages are archived for as long as requested. Archive is securely managed to comply with HIPAA requirements in audited data center.

11. Continuous vulnerability monitoring is in place. Access requires two-factor authentication. Application and database are isolated.

12. There are clear policies on user responsibilities, and warning if/when a user may risk a HIPAA violation.


If you would like to see the complete list of critical factors to consider when choosing a secure text provider you can download a secure text comparison checklist here and let us know if we have missed anything:


securetxt checklist CTA banner