Organizations evaluating whether texting is right for them will encounter data security, legal, and compliance concerns as chief obstacles to overcome in conversations with team members.
At Hustle, we’ve helped thousands of organizations of all sizes overcome these hurdles with product leadership, subject-matter expertise, a robust security program, and contractual agreements that can give your team the confidence they need to get texting.
Note: the articles in this series are for general informational purposes only and do not constitute legal advice. Hustle is not a law firm, and reading this article does not create an attorney-client relationship. Laws and carrier policies change and can vary by jurisdiction and use case. You should consult qualified counsel about your specific situation.
In this article, we’ll walk through some of the common compliance certifications, how they relate to texting, and how Hustle can help.
What are some other compliance certifications, and do they matter for text?
- HIPAA
- PCI
- FERPA
Does my texting vendor need to be HIPAA compliant?
SMS and MMS are not encrypted mediums, so they cannot be HIPAA-compliant. Any texting vendor that tells you they are HIPAA-compliant is omitting a crucial detail: once they send a message downstream, it’s the wild west. There have been well-reported discoveries of foreign actors sitting on the networks of major US mobile carriers, just soaking up subscriber data. So at Hustle, we actively discourage including patient health information in text messages. If a texting vendor tells you they are HIPAA compliant, ask them what happens once they send a message to the mobile carriers. If they know what they’re talking about, they’ll waffle. If they don’t know what they’re talking about, they’ll reassure you that they are HIPAA compliant. We’re not sure which is worse…
At Hustle, we support many health foundations and work with their compliance teams to understand the scope of the data required to operate the Hustle application to facilitate conversations with donors and volunteers.
For healthcare providers, sending sensitive information via text messages is a risky proposition. Working with specialty providers that offer HIPAA-compliant messaging is the safest path. They’ll offer you special assurances, like a BAA and legal protections, if your data is breached.
How about PCI compliance?
Similar to HIPAA, we discourage including financial information, such as credit card numbers, in text messages for the same reasons we discourage including patient health information. SMS and MMS are not encrypted mediums. As a result, texting is not PCI compliant. Rarely, but on occasion, the less discerning audience member will text you their credit card number. Hustle has tools to redact these messages so they aren’t stored by Hustle in a way that makes them retrievable. However, this capability does not make Hustle, or any texting vendor, PCI compliant.
Some tools, notably CRMs and fundraising platforms, will process credit card transactions, subjecting these tools to PCI compliance. It’s important to note that even though these tools collect and process contributions in a PCI-compliant manner, that does not make the text messages they may send or receive PCI compliant.
And FERPA?
FERPA functions similarly to HIPAA, as both restrict the disclosure of protected personal information. FERPA protects information in a student’s education record that should not be disclosed over an unsecured channel, such as a text message; think grades and disciplinary actions. Other information may be designated as directory information and is considered less sensitive, like a student’s major or graduating year. Directory information can even help improve the personalization of communications! That aside, though schools are given some flexibility to determine what is directory information, your service provider probably doesn’t distinguish between “protected” and “not protected” information. So be mindful when adding data to your texting vendor.
