If my provider is communicating PHI and non-PHI with patients through a 3rd party SMS service, such as Twilio, would my provider be required to sign a BAA with an SMS service company or such a company be classified as a conduit? We are sending encrypted data to the SMS service which is then sending unencrypted SMSs to patients. Patients can then potentially respond to those SMSs via unencrypted SMS which would be directed to our SMS service and then communicate the message through an encrypted channel back to my provider.
Our SMS service is not storing any information regarding patients or logs, nor is it analyzing the contents of the messages to provide any type of diagnostic feedback. It is not even determining when messages should be sent or scheduling messages. It is simply responding immediately to requests from my provider or from our patients directly.