HIPAA & Text Messaging Whitepaper

Upland Mobile Messaging enables our clients to send text messages to consumers’ mobile phones. Our solution bridges the communication gap between businesses and consumers by allowing an enterprise-class application to interface with everyday consumer technology. While this approach to messaging has significant advantages in timely and effective business communications, the messages are transmitted and stored using carrier systems and mobile phones intended for consumer-grade communications. Because of this, the security of messages sent to consumers cannot be guaranteed once the data leaves our controlled environment.

Upland Mobile Messaging’s core security strategy is geared to helping our clients utilize the amazing potential of mobile communication while maintaining an appropriate level of security. Our information security strategy can be summarized as follows:

• We maintain a high-level of security controls for our production environment such that sensitive data can be transmitted to, and stored in, our systems while maintaining the security standards that our clients require.
• We understand the security limitations of publicly assessable messaging technologies such as SMS, and how these limitations affect the potential of regulatory compliance and the individual security goals of our clients.
• We serve as a resource for our clients in helping them understand how to best leverage mobile communication while meeting the security requirements of their business and applicable regulations.

The intent of this document is to review the security requirements associated with the Health Insurance Portability and Accountability Act (HIPAA), identify the security limitations inherent in text messaging (SMS), and provide information to assist our clients that deal with Electronic Health Information (EPHI) in using Upland Mobile Messaging applications in a HIPAA-compliant manner.