HIPAA Texting Glossary

Short, plain-language definitions of the HIPAA and messaging terms you will run into when evaluating a texting platform.

Get started for freeSchedule a demo →

Access controls

Settings that control who can open patient information. HIPAA expects each user to have their own login, and admins must be able to remove access the day someone leaves.

Audit log

A record of who accessed or sent patient information. When an auditor or a patient asks what was communicated, the audit log is what you produce.

BAA (Business Associate Agreement)

The HIPAA-required contract between a healthcare organization and a vendor that handles PHI on its behalf. Without a signed BAA, patient data cannot go on that vendor's systems.

Broadcast messaging

Sending one message to a list of patients at once, delivered as individual texts. Each reply comes back as a private conversation, so no patient sees another patient's reply.

Business associate

Any company that creates, receives, stores, or sends PHI on behalf of a healthcare organization. Texting platforms, billing services, and cloud hosts all qualify, and each needs a signed BAA.

Covered entity

A health plan, healthcare clearinghouse, or healthcare provider that transmits health information electronically. Most practices, clinics, and agencies are covered entities under HIPAA.

EHR (Electronic Health Record)

A digital version of a patient's chart, built to follow the patient across providers and organizations. EHRs hold PHI, so they need the same HIPAA safeguards as any other system.

EMR (Electronic Medical Record)

A digital chart used inside a single practice. People often use EMR and EHR interchangeably, but an EHR is designed to move with the patient between organizations.

Encryption in transit and at rest

Scrambling data while it travels over the network (in transit) and while it sits on servers (at rest). HIPAA expects both for electronic PHI.

HIPAA Security Rule

The part of HIPAA that sets standards for protecting electronic PHI. It requires administrative, physical, and technical safeguards, including access controls, encryption, and audit logs.

MRN (Medical Record Number)

The unique number a practice assigns to a patient's chart. It is one of the 18 HIPAA identifiers, so a message containing an MRN contains PHI.

PHI (Protected Health Information)

Health information that can identify a patient, held by a covered entity or business associate. A name and phone number tied to an appointment already qualify.

Read receipts

Indicators that show who has seen a secure message. In BloomText, read receipts apply to secure messages and show who has viewed each message, so your team knows an update was picked up.

Secure link

A link sent over normal SMS that opens an encrypted conversation. The patient taps it and replies from any phone without downloading an app, and the content stays off the unencrypted SMS network.

SMS opt-out (STOP)

The standard way a patient stops receiving texts: replying STOP. Senders must honor opt-outs, and healthcare teams should record them.

Missing a term? Contact us and we will add it.