Skip to main content
Sign In

Security and Privacy Considerations

Know the Laws and Regulations


The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was established to regulate the use and disclosure of protected health information (PHI), which consists of "individually identifiable health information." HIPAA describes this information as any demographic information relating to past or present health conditions healthcare received, and payments for healthcare along with any identifiers such as name, address, birth date, and social security number.(1) HIPAA’s security rule includes specific security standards for the disclosure and storage of electronic health information and requires safeguarding of PHI. Text messaging is regulated under this rule when it involves the transmission and/or storage of PHI. The security rule requires covered entities to conduct a thorough risk analysis to determine threats to the safety of PHI. Some texting platform companies advertise that they are HIPAA compliant, but they provide secure communication only within a closed network.

FTC's CAN-SPAM Act of​ 2003

The Federal Trade Commission (FTC) enacted the CAN-SPAM​ law to protect the privacy of consumers. This law applies to text messaging campaigns and requires that recipients are told how to opt-out of receiving text messages and that those opt-out requests are honored in a timely manner. Penalties for non-compliance can reach up to $16,000.

FCC's Telephone Conusmer Protection Act 

Telephone Consumer Protection Act, which is public law 47 U.S.C. § 227, originally passed in 1991 and affects text messaging. It has had some modifications, the most recent of which took effect on October 16, 2013. However, the act exempts healthcare-related calls. Check with your legal department or the FCC website for more information.


The American Recovery and Reinvestment Act of 2009 includes the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was written to promote the use of technology in healthcare and ensure compliance to HIPAA rules. The HITECH Act increases the U.S. Department of Health and Human Service’s ability to impose penalties for violations of HIPAA rules. Under the HITECH Act, penalties for violations have a maximum of $1.5 million, and penalties cannot be barred for unknown violations unless corrections are made within 30 days.(2)

FDA regulations o​n medical devices

The FDA published its Mobile Medical Application Guidance​ for Industry and Food and Drug Administration Staff on September 25, 2013. Although this document does not apply specifically to text messaging, researchers may benefit from being familiar with these guidelines and the FDA’s two regulatory approaches: “regulatory oversight” and “exercise enforcement discretion”.  A mobile app that “controls a medical device or supplies patient-specific data to a medical device” will be regulated by the FDA. In contrast, a mobile app that “helps patients document, show, or communicate potential medical conditions to health care providers” would fall under the “exercise enforcement discretion” category.  The “exercise enforcement discretion” category means that the FDA does not intend to enforce requirements under the Food, Drug & Cosmetic (FD&C) Act. Text messaging applications that allow health care providers communicate with patients could potentially fall into this latter category.


  1. US Department of Health and Human Services – Summary of HIPAA (PDF) 
  2. US Department of Health and Human Services (2009) HHS Strengthens HIPAA Enforcement
  3. U.S. Food and Drug Administration. (2013) FDA issues final guidance on mobile medical apps​

Previous P​age Ne​xt Page​