By Devin Partida, Editor-in-Chief, ReHack.com
LinkedIn: Devin Partida
LinkedIn: ReHack Magazine
Patient messaging is an essential component of coordinating care. Doctors want fast channels to answer questions and share instructions, while patients want the same simplicity and convenience they experience with the apps they use every day.
This puts pressure on the privacy, integrity and availability of health data. Every message should be treated like part of a medical record with the same discipline used for electronic health record (EHR) systems. With the right controls in place, health care teams can move fast without compromising safety.
Security and Compliance in Patient Messaging Tools
health information (ePHI). That includes administrative, physical and technical controls like access management, risk analysis, transmission security, and device and media controls. These requirements apply to covered entities and business associates that create, receive, maintain or transmit ePHI.
Real incidents show what happens when controls fail. In May 2025, Unimed in Brazil reportedly exposed around 14 million patient-doctor messages, including files and conversations with its Sara chatbot feature.
Shadow messaging also creates risk. In 2024, the U.K.’s National Health System (NHS) staff said they use WhatsApp constantly to share private patient data despite guidance, inviting confidentiality and governance problems if organizations cannot apply policy, audit or retention.
Despite the risks, patient messaging has clear benefits. HIPAA summarized research showing that 20% of patients prefer receiving health information by text rather than a portal. Text messaging also helps build trust and increases patient satisfaction, keeping them immersed in their care.
Best Practices for Securing Communication Channels and Protecting Data
Some of the largest cyberattacks in health care have cost as much as $10.92 million per breach. However, messaging can be safe when teams follow HIPAA rules and build simple guardrails into daily work. These five moves help enhance security and ensure programs remain compliant.
1. Run a Focused Risk Analysis for Messaging
Check all channels that may hold patient data, such as in-app chats, SMS, EHR inboxes, contact centers and any chatbots. Trace how messages move, who touches them and where files land on devices. The National Institute of Standards and Technology SP 800-66r2 provides a step-by-step path aligned to HIPAA rules.
2. Tighten Identity and Access
Give every user a unique account, and require multi-factor authentication for staff and vendors who use messaging services. Limit access to the minimum needed and set automatic logoff for idle sessions. Monitor audit logs for unusual sign-ins or high-risk actions.
3. Encrypt Everywhere and Protect Devices
Use strong transport encryption for data in motion and modern encryption for data at rest. Lock down gadgets that store message threads or attachments with passcodes and enable remote wiping. Make a plan for handling lost or retired devices, so ePHI does not linger on local storage.
4. Apply Zero Trust to Messaging Traffic
Treat each request as untrusted until verified. Segment services, check device health before allowing access and keep messaging systems in their own network zones. This limits the blast radius in case of phishing or app misconfiguration.
5. Hold Vendors and AI Features to Clear Rules
Use business associate agreements that clearly state how data is used and kept, whether models are trained on it, and which subcontractors are involved. Pilot features, log what data they touch and know how to disable them quickly if they drift from policy.
Remember that HIPAA does not ban text messaging in health care, but it does require additional safeguards that bring texts up to the same standard as other electronic systems.
Using Technology to Ensure Security and Compliance
Secure clinical messaging platforms centralize directory services, integrate with EHRs, enable encryption and offer audit histories that support HIPAA logging requirements. Mobile device management reduces risks from lost or unmanaged phones, while zero-trust controls and continuous monitoring help teams detect misuse.
AI also affects how health care teams communicate. Vendors often pitch AI features that handle ePHI to speed output and insights. Due diligence should verify how data is collected, used, stored and shared, and whether models are trained on customer information.
In June 2025, the NHS warned clinicians about unapproved AI notetaking tools, weeks after promoting the potential benefits of ambient voice technology. The warning highlights the need for approvals, data protection impact assessments, vendor security reviews and staff guidance before rolling out any AI tool.
Putting Secure Patient Messaging Into Practice
Secure patient messaging requires a clear scope and disciplined controls. Teams should treat every message as ePHI, use technology that enforces policy, and vet vendors and AI before launch. These practices deliver the speed and convenience patients want while protecting safety and compliance.