Find a registrant or pharmacy

Find a registrant Find a pharmacy

Search the website

Help me with...

Texting health information is risky business

July 8, 2014

Text messaging shares many of the same risks as email including interception, misdirection, alteration, loss, and inference. However, it also poses additional risks that custodians must assess if texting health information, including:

  • Identification – How will you identify yourself to patients or colleagues via text? If you receive texts from patients or colleagues, how will you readily identify them and ensure authenticity?
  • Security – Text messages generally lack encryption; how will you ensure their secure transmission? How will you be certain that your message is received by the intended recipient?
  • Records management – How will you ensure the information communicated via text is included in the patient record?

No matter how you receive or transmit health information, you must meet all the requirements set out in the Health Information Act (HIA) and the Health Information Regulation.

Set your policies first
It is important to consider the risks and put in place appropriate risk mitigation strategies before using electronic means of transmitting individually identifying health information.

Section 63 of the HIA requires each custodian to establish or adopt policies and procedures that will facilitate the implementation of the Act and the regulations. You must implement appropriate physical, administrative, and technical safeguards to ensure the confidentiality, integrity, and availability of all patient health information you create, receive, maintain, or transmit.

Currently, a dedicated portal (e.g., Netcare) or encryption are the only options the Office of the Information and Privacy Commissioner consider to be secure for transmitting health information electronically.

Refer to Managing Mobile Devices in Your Health Care Organization for five steps to consider when creating your policies and procedures (this is an American resource, so the legislation cited is different but all the process steps apply).

Note that the HIA requires that custodians submit a Privacy Impact Assessment (PIA) to the Information and Privacy Commissioner before implementing a new administrative practice or information system that collects, uses, or discloses identifying health information.


  • Helping pharmacists and pharmacy technicians understand the Health Information Act
  • A Practical Guide to the Health Information Act
  • Communicating with patients via email: Know the risks (this resource also applies to texting)
  • Email Communication FAQs (this resource also applies to texting)