SMS was not designed to support secure communications and therefore are not HIPAA-compliant. This means that short codes should not be used to transmit Personal Health Information (PHI).
If a your short code has medical uses or deals with medical information, you will need to complete the following two steps:
- After purchasing a short code, you must complete an additional form provided to you by the short code team.
- When building your short code application, you must include the following in your terms of service or end user agreement:
This short code program does not contain medically sensitive information. While the Content on the Site is about specific medical and healthcare issues, the Content is not a substitute for or replacement of personalized medical advice and is not intended to be used as the sole basis for making individualized medical or health-related decisions.
Twilio can also provide sample compliant terms and privacy language for you to integrate into your legal content. You can incorporate these terms and the paragraphs above directly into your existing terms page. For more information, please contact your Account Manager.
For general security information, check out the accompanying PDF guide to Twilio’s security practices, also available at ahoy.twilio.com/security.pdf.