The Texting Problem: When SMS Between Crews Becomes a HIPAA Issue

Every agency I walk into has the same gap. The crew texts. The captain gets a patient update from the back of the truck. The next-due station gets a heads up over SMS. A supervisor gets something that was never supposed to leave the patient's room.

Nobody does it because they want to break the rules. They do it because it is faster than logging into the secure messaging app. In EMS, speed wins every time. The question for agency leadership is whether speed wins on your terms.

When Does Texting a Patient Update Become a HIPAA Violation

The legal standard for a HIPAA violation through SMS is straightforward. The message has to combine a patient identifier with health information. A message that says "Unit 12 is clear from County General" is operational chatter. A message that says "The 65-year-old male from 123 Main with chest pain is stable, heart rate 70" is a disclosure.

The Security Rule at 45 CFR 164.306 requires covered entities to implement technical safeguards for ePHI in transit. Carrier SMS is not encrypted during standard transmission. iMessage is end-to-end encrypted between Apple devices, but Apple will not sign a Business Associate Agreement with your agency. Without a BAA, any PHI you send over iMessage sits outside your compliance perimeter.

There is a gray zone where crews use coded language. "The patient in the blue shirt" or "Room 4 is our priority." This reduces surface-level risk but does not create a formal safeguard. A determined review of the message thread combined with other context can still re-identify the patient. If you are relying on coded language instead of a policy, you have a policy gap.

Is Texting Patient Info Over SMS a HIPAA Violation for EMS Crews

Yes, when it contains PHI. The answer does not change because the message was short or because the recipient was the supervisor. OCR looks at the content of the transmission, not the intent behind it.

The harder question is whether the agency knew it was happening. If OCR finds that crews have been texting PHI for months or years and leadership never addressed it, the finding can shift from a corrective action to willful neglect. Willful neglect carries higher fines and removes the safe harbor that a good faith effort would normally provide.

Cloud backups add another layer. An iMessage is stored on the device. It is also backed up to iCloud unless iCloud Backup is turned off. That backup sits on Apple's servers without a BAA. The crew member who left the agency two years ago still has a thread of PHI in their personal iCloud account. None of that is within your reach. You cannot wipe it or audit it, and you cannot even find it to know it is there.

What OCR Guidance on SMS and PHI Disclosure Actually Requires

OCR has not issued a single guidance document specifically about EMS texting. The requirements come from the Security Rule's plain language. Access control is a requirement. Transmission security is a requirement. You are required to protect ePHI from unauthorized access whether it is at rest or in motion.

NIST SP 800-124 provides mobile device security guidelines that apply directly here. The relevant controls include device encryption and remote wipe capability, both enforced through MDM. For a multi-station service, that means MDM is not optional. If your agency issues smartphones without a Mobile Device Management profile enforcing encryption, you are operating outside the standard of care.

A previous article called "The HIPAA Risk Analysis That Holds Up Under OCR Review" covers how to document these risks and your mitigations in a way that survives an investigation. The risk analysis is the foundation. The policy enforces it.

How to Write a Mobile Messaging Policy for Fire Departments

A defensible mobile messaging policy for a fire or EMS agency needs four components built into it.

Start by defining operational chatter explicitly. Give concrete examples. "Unit X is clear," "Requesting a lift assist," and "Returning to station" all belong in that category, as does "What is the apparatus assignment for the next call?" The crew needs to know exactly what is permitted on SMS. Ambiguity drives behavior into the gray zone.

Name the approved tool explicitly. Do not write "a secure messaging platform shall be used." Write "SecureApp (or whatever your vendor is) is the only authorized platform for transmitting ePHI between crew members." If you have not selected a tool yet, pick one from the HIPAA-compliant messaging apps that will sign a BAA. TigerConnect works in this space. So does Spok. Verify the BAA covers your deployment model.

Enforce a zero-PHI rule for carrier SMS. A hard line with no exceptions for supervisors or the chief: no patient identifiers over SMS. If a crew member needs to communicate clinical information, they open the approved app.

Implement MDM on every device that touches patient data. Enforce device encryption. Enforce remote wipe. Disable iCloud Backup on agency devices or configure it through a managed Apple ID that stays under the agency's control.

For multi-station services, the friction problem becomes a deployment problem. If the secure app takes too many taps to open or requires re-authentication after every dispatch, crews will find reasons to bypass it. Vet the tool for speed of access before you deploy it. Ask your vendor how many taps it takes to send a message from a locked phone. If the answer is more than three, you will have adoption problems.

Audit, Training, and the Real-World Gap

A policy is not a control until it is enforced. Your agency should have a process for auditing SMS usage on agency devices. That does not mean reading every message. It means having the technical capability to review and the documented authority to do so.

Training needs to cover the cloud backup risk specifically. Most crew members do not know that their iCloud backup stores years of text message history. Explain it directly. A text sent today is a liability the crew member is carrying in their pocket for years. It will not be deleted when the patient is discharged. During the next phone upgrade, that thread is still there. If the phone is lost, the data goes with it. If the phone is sold, the new owner gets a history of your agency's calls.

"Vendor Risk Management for Small EMS Agencies Without a CISO" goes deeper into how to evaluate the vendors you already have and the ones you are bringing in. The messaging platform is a vendor relationship. Treat it like one.

Frequently Asked Questions

Can we use iMessage since it is encrypted?

iMessage is encrypted in transit between Apple devices, but Apple does not sign a BAA with individual agencies. Without a BAA, the transmission is not compliant. The encryption also does not protect messages backed up to iCloud, which creates a second exposure path.

What counts as operational chatter that is safe for SMS?

Logistics and coordination messages that contain no patient identifiers. Examples include "Unit 4 is clear from the hospital," "Requesting a lift assist at the north entrance," and "Which station is the replacement crew coming from?" If a message includes a patient detail like name, age, address, complaint, or condition, it goes in the approved app.

What happens if an agency ignores SMS use for PHI?

OCR can cite the agency for willful neglect if it finds that leadership knew PHI was being transmitted over SMS and did nothing to stop it. Willful neglect findings carry higher fines and remove the good faith mitigation that a documented policy would normally provide.

Do we need a BAA for our messaging app?

Yes. Any platform that transmits ePHI on behalf of a covered entity requires a BAA. If your messaging vendor refuses to sign one, that tool is not a compliance solution regardless of what its marketing says.

Should personal phones be included in the policy?

If crews use personal phones for work communication that could contain PHI, the policy must cover them. Bring-your-own-device environments need technical controls like containerization or remote wipe capability on the work profile. A policy that only covers agency-issued devices is incomplete if half the crew uses personal phones for the same messages.

Closing

The texting problem looks like a technology problem on the surface. It is actually a policy and enforcement problem. The technology exists. Secure messaging platforms with BAAs are available. MDM profiles are standard. The gap is in adoption and training and in the willingness to tell crews that the fastest path is not always the legal one. Close the gap before OCR asks you why you did not.

-- Steven