Wickr: HIPAA-Compliant SMS App Tested by Two Psychologists

By Keely Kolmes, Psy.D. and Kristina Monroe, Psy.D.

Dr. Monroe is a licensed psychologist who has private practice offices in Beverly Hills and South Pasadena, CA. She maintains a general psychotherapy practice but also specializes in serious mental illness as well as psychological assessment.

We know one another from APA Division 42’s listserv, and we decided to test out the Wickr App together.

KK: I don’t engage in text messaging with clients for a number of reasons, including concerns about the assumed immediacy of messaging, client confidentiality, and the documentation of these messages. But Dr. Monroe and I were both very curious about Wickr’s promises of military grade encryption, privacy, and the ability to set messages to self-destruct within a designated period of time (from seconds after it is viewed and up to six days). We agreed to give it a test run.

Click on images to view them in large size. 

KM: I was excited to try out Wickr as a licensed psychologist who strives to adhere to the highest level of client confidentiality. This isn’t always simple in the era of ever-growing technology, particularly when many of my clients prefer text messaging over a telephone call. I was intrigued when reading that Wickr is a text messaging service that is HIPAA-compliant.

KK: Wickr allows you to fine-tune its shredder settings as seen below. You can also modify how notifications are received and set default message destruction times, but this can also be set for each message, as we’ll show you later on.

KK: One of the first things I appreciated was that Wickr can be set to let you know you have a text message without identifying who has sent it. The app also has the ability to require you to login to receive your text messages so someone picking up your phone doesn’t automatically have access. It seems that Dr. Monroe also liked these features. We both would recommend disabling the auto-login feature for enhanced security.

KM: In testing it out with Dr. Kolmes I found several features that I liked. First, I liked that a user can choose any user name and it is not displayed when push notifications are on (as shown below). Furthermore, one has to log in with a password to access the message (also seen below). This feature can be adjusted as to how long the app is closed before a password is required.

KK: I’d add here that it might make sense to encourage clients to use a nickname or other pseudonym with their Wickr account, for enhanced privacy. Clinicians may opt for the same.

KM: It is also nice that each message can be sent with a different time to destruction (i.e. the time it takes before a message is permanently deleted from both the sender’s and receiver’s device). We experimented with different time settings.

KK: You can see the red text, below, indicating the time until a message self-destructs. I also like that there is a padlock you have to click on in order to unlock each message. This is just one extra step to ensure nobody is looking over your shoulder. I also like that from the texting screen, you can click on various red round buttons to change the self-destruct time for each message (from seconds to six days), to activate the camera to take and attach a photo, to access your photo album and choose a photo, to activate your microphone to record and send sound file, or to attach and send other attachment from dropbox or Google Drive.

KM: On the contrary, one noticeable weakness is the ability to take a screen shot of both text and photos. Therefore, it is possible for one to retain a copy of messages exchanged before they destruct.

KK: Yes, obviously, as our photo essay demonstrates, these messages can be saved via screen shot, which in some ways entirely defeats the whole purpose of the app. Although it would allow a clinician to save and print a message later, if necessary.

KM: I would, nevertheless, only use the app to communicate about appointment times and changes, not clinical information. Lastly, the client does need a smartphone with the app as a Wickr user cannot text a general cellphone number. Overall, Wickr appears to be a nice upgrade from the average text service that can be used at the clinician and client’s discretion following informed consent.

KK: I am still not likely to use text messaging with my patients. However, many clinicians do like to offer this mode of communication for various reasons and it makes sense for the populations they serve. Wickr is definitely a step above the typical text messaging done on a cellphone. I will likely mention it in my upcoming courses on digital ethics. I only wish the app disabled the ability to take screen shots so that it could truly be SMS “without a trace,” as advertised*.

*Note added February 24th: Of course we realize that encryption refers to how messages are protected during transmission and delivery. There are other encrypted means of message delivery, including email, which also allow for printing or taking screen shots. What people do with phone messages, emails, and even text messages once delivered is beyond the control of the service that attempts to create higher security and beyond the control of the practitioner. This again speaks to the need to be judicious in what we send to people whose confidentiality we have a primary duty to protect.