Technology Decision Makers

last person joined: yesterday 

A group for those in nonprofit IT decision-making roles to connect with peers and share best practices. This Technology Decision Makers group is for nonprofit IT or MIS Directors/Managers as well as CIOs and CTOs to connect with their peers and share best practices. Topics for discussion include, but are not limited to: hardware and software management, product reviews, emerging technology, best practices, collaborating effectively with other departments, and management conundrums. Membership is restricted to IT staff at nonprofit organizations.

Texting policy

  • 1.  Texting policy

    Posted Oct 04, 2018 09:28
    ​Fellow IT Decision Makers,
    If this topic has already been covered, please point me in the right direction. I searched but alas, did not find.

    FSL is a large agency covered under HIPAA among other regulatory statutes and laws and we also strive to achieve best practice in all we do.

    Lately, we have been made aware that it is possible that staff are communicating with their patients or clients (covered under HIPAA) using text messaging. We have no policy on this.

    The HIPAA committee is now working on remedying this by creating a new policy, but I have some doubts about whether we are doing the right thing. If it were up to me, I'd just say NO TEXTING CLIENTS OR PATIENTS but I realize that texting is a valuable tool so I have to choke it down or suck it up or whatever that metaphor is.

    A process to get the client/patient formal consent to text is being incorporated with our other consent forms, so we have a workflow.

    My big question is: once the client/patient has consented, can the staff initiate communication containing ePHI via SMS?

    Thanks as always,

    Grace Barry
    Director of Information Technology
    Family Service League
    Huntington, NY

  • 2.  RE: Texting policy

    Posted Oct 05, 2018 08:48
    Hi Grace,

    We are an MSP based in NY and we are dealing with the exact same issue for one of our non-profit clients in Family Services area as well.
    We recommended they use a third party HIPAA consultant (not ourselves) like HIPAA Secure Now to get the definitive answers they need and we would help them to implement.  From our discussion with them, getting your client to sign a document does not absolve your organization from the legal aspects if phi were to be exposed.  But please get a an answer from a HIPAA expert.  Happy to discuss further with you about how we are handling it with our nonprofit.


    Allen Chu
    Director of Business Development
    TeamLogic IT of White Plains
    White Plains, NY

  • 3.  RE: Texting policy

    Posted Oct 05, 2018 14:16
    The issues are much bigger than consent. Regular text messages travel over public networks, you'd need to use an encrypted messaging platform to be compliant if you're sending any PHI. You also need to do a risk assessment and staff training, and your encrypted messaging system also needs to have the ability to remotely wipe messages from client phones, in case they're stolen.

    Assuming you're compliant in terms of the tech infrastructure and policy framework, you can send ePHI via encrypted text.

    Here's a good recent article

    Isaac Shalev
    Stamford CT

  • 4.  RE: Texting policy

    Posted Oct 08, 2018 10:02
    ​Thank you all for the prompt replies.
    I will bring this back to our committee.
    I was happier with the initial email from CMS saying there was a total ban, actually. Basing my opinion on the demos of secure texting and knowing our user and client base, I am not confident that a secure platform would be used, causing more confusion for the staff and frustration for the end users.
    I'll let you know that our internal decision and actions are.


    Grace Barry
    Director of Information Technology
    Family Service League
    Huntington, NY