Today, healthcare providers and organizations are increasingly relying on electronic document signing to enhance and streamline the patient experience. However, when it comes to transmitting protected health information (PHI), ensuring that these processes comply with the Health Insurance Portability and Accountability Act (HIPAA) is critical. SMS (short message service) and eSignatures are two tools often used in healthcare settings, but they must be handled properly to protect patient privacy and comply with HIPAA regulations.
In this blog, we’ll explore how BoldSign can facilitate a HIPAA-compliant eSignature process, even when using SMS to send links for documents. For a deeper understanding of compliance fundamentals, you can also review the HIPAA eSignature requirements checklist, which outlines the key safeguards healthcare organizations should follow.
The Challenges of SMS and HIPAA Compliance
Unfortunately, SMS lacks essential security features such as encryption and access control, which makes it inherently noncompliant with HIPAA. Without proper precautions, the use of SMS within organizations that manage PHI can lead to unauthorized access and data breaches. Here’s why:
- Lack of Encryption: Standard SMS messages are not encrypted, which means they can be intercepted and read by unauthorized parties.
- Limited Access Control: Once a message is sent, the sender has no control over who accesses it or how it is used.
- Security Vulnerabilities: SMS messages can be easily spoofed, intercepted, or otherwise compromised.
HIPAA mandates that any communication involving PHI must be secure and protect patient privacy. This means sending PHI over regular SMS without precautions violates HIPAA regulations.
Is SMS Allowed Under HIPAA?
Yes, SMS is allowed under HIPAA, but it is not compliant by default. HIPAA does not prohibit SMS, but it requires strong safeguards when PHI is involved.
To use SMS responsibly, healthcare organizations must minimize risk by:
- Avoiding PHI in SMS messages (use SMS only to send neutral notifications or links)
- Applying access controls, such as authentication before document access
- Maintaining audit logs to track who accessed and signed documents
- Keeping PHI inside a secure, HIPAA-compliant system, not in the text message itself
When these safeguards are in place, SMS can be used safely as part of a compliant workflow.
Making SMS Work for HIPAA Compliance
While SMS itself is not HIPAA-compliant, steps can be taken to ensure the secure transmission of eSignature links via SMS by using BoldSign.
To use SMS in a HIPAA-compliant manner, healthcare providers must take several steps:
- Enable HIPAA Compliance in Your BoldSign Account: This ensures our teams are aware of different security precautions to configure on your BoldSign account to ensure PHI is protected and secure.
- Sign a BAA: Syncfusion requires a BAA agreement to be in place with customers who are Covered Entities or Business Associates. You can request one through your sales representative, the legal team, or the support team.
- Obtain Patient Consent: Patients must provide explicit consent to receive links via SMS, acknowledging the potential risks involved.
How to Do It in BoldSign
BoldSign enables HIPAA-compliant eSignatures while using SMS as a secure delivery channel.
- Send PHI-free SMS messages that contain only a secure signing link
- Enable authentication to control document access
- Use encryption to protect documents at rest and in transit
- Rely on tamper-evident audit trails for compliance and accountability
- Sign a Business Associate Agreement (BAA) for healthcare use cases
Learn more about sending secure eSignature links via SMS: BoldSign SMS Sending Feature Page
eSignatures and HIPAA Compliance
Similar concerns about SMS security apply when it comes to sending eSignature links via SMS. However, eSignatures can be part of a HIPAA-compliant process with these measures:
- Encryption and Secure Access: Ensure your eSignature platform, like BoldSign, is HIPAA-compliant, utilizing encryption and secure authentication to protect documents once accessed.
- No PHI in the SMS: The SMS should only contain a general link to the secure platform and not include any PHI directly in the message.
- Sign a BAA with the eSignature platform: Ensure that the platform signs a BAA, as they will be handling PHI on your behalf.
- Patient Consent: Obtain explicit consent from patients to send links or communications via SMS, informing them of potential risks.
- Turn on Authentication for Your Document: Within BoldSign, you can enable authentication for each document no matter what form of communication you are using when sending them for signature.
- Audit Trails: The eSignature platform, like BoldSign, should maintain audit trails and logs to track access and signing activity, which are crucial for HIPAA compliance and security.
Conclusion
While SMS is not HIPAA-compliant by default, healthcare providers can securely send eSignature links by using BoldSign as their HIPAA-compliant eSignature platform. By leveraging BoldSign’s encryption, secure access, and HIPAA compliance, healthcare providers can confidently send eSignature links via SMS while safeguarding PHI.
The key to HIPAA compliance is using the right tools and practices, and BoldSign is here to help you achieve that. If you’re still evaluating available options, comparing vendors? Top HIPAA-compliant platforms can help you understand how different solutions approach security, compliance, and healthcare use cases.
