Is texting HIPAA compliant? What you need to know

If you’ve ever tried to get a straight answer to “Is texting HIPAA compliant?” you know how frustrating it is. One Redditor summed it up perfectly: “If you ask 20 clinicians, 10 will say it is, and 10 will say it isn’t. You Google it, 10 sources say it is, and 10 sources say it isn’t.”

Part of the confusion stems from the fact that the answer isn’t as simple as yes or no. HIPAA-compliant texting depends on several factors, like the message being sent. And the stakes are high for healthcare providers. Getting it wrong can mean HIPAA violations and patient privacy breaches.

In this guide, we’ll clear up the misconceptions about HIPAA-compliant text messaging. We’ll also outline how healthcare organizations can stay compliant with patient texting.

Disclaimer: This article provides general information about HIPAA compliance and text messaging as of the date above. The content on our website is not intended to provide and should not be relied on for legal or compliance advice. You should consult with your own legal or compliance official to determine how this general information may apply to your specific circumstances and to ensure your specific texting practices meet all applicable HIPAA requirements.

Is texting HIPAA compliant?

Text messaging is not inherently HIPAA compliant.

Standard SMS isn’t HIPAA compliant because it lacks the technical safeguards required by the HIPAA Security Rule. Once a text leaves the sender’s phone, they have no control over where it goes, who stores it, or how protected it is.

Here are the most significant security gaps:

• No end-to-end encryption: SMS travels through carriers in plain text. Anyone with access along the path could intercept or read the message.
• No control over storage: You can’t control how a recipient’s phone or mobile carrier stores messages, who accesses them, or if they’re deleted securely.
• No access controls: Anyone who picks up the patient’s or provider’s mobile devices can read, screenshot, or forward the message. 
• No audit trails: HIPAA requires audit controls and logs of access and activity. SMS has no built-in auditing or reporting.

Some medical office phone system providers use secure messaging apps that mimic texting. They offer encryption that SMS doesn’t have, and they require Business Associate Agreements, or BAAs. These tools meet HIPAA requirements, but they often require patients to download an app and create an account. Not all patients will take the time to do that. 

Many clinics also struggle to roll out these apps at scale. Staff may have to explain to patients how to download and use the app. Patients may forget passwords or stop using the app entirely, which creates more follow-up work. 

However, your organization may still use SMS and MMS in a manner consistent with HIPAA — without relying on a separate secure messaging app. 

When is it okay to use SMS text messaging for patient communication? 

Healthcare professionals can use SMS when they take specific steps to protect patient privacy.

You can use texting for patient communication if you:

• Get written patient authorization for SMS/MMS. Patients must authorize the use of texting for communication, preferably through a digital or paper form. They should also know they can withdraw their consent at any time.
• Document the decision to use SMS/MMS in HIPAA policies. Note how your organization uses SMS/MMS and manages the risks.
• Inform patients of the security risks. Providers must explain that SMS is less secure than other communication channels.
• Follow the minimum necessary standard. This rule requires covered entities to limit the use of electronic protected health information, or ePHI, in text. They can only include what’s needed to accomplish the intended purpose.

The minimum necessary standard, which is §164.502(b) of the HIPAA Privacy Rule, means you can only send essential details in text messages. If a portal link works, you should send the link instead of including ePHI. It also means avoiding diagnoses, treatment details, or sensitive identifiers if a general message is enough.

For example:

✅Ok to send: “Your test results are ready. View them at [portal link].”

❌Not ok to send: “Your cholesterol is 240. Please schedule a follow-up.”

The goal is to reduce the amount of identifiable information that moves through unsecured channels. Even small details, when combined, can reveal more about a patient than intended.

You can also send messages compliantly if they don’t include any electronic PHI or PHI. These messages can provide your patients with information they need to visit your office. You might send:

• General office hours
• Holiday closures
• Weather or emergency alerts
• Appointment reminders with no PHI
• Educational content that doesn’t reference the patient

What if patients request communication over text?

HIPAA permits patients to request communication through alternative methods, including SMS. The guidance states:

If a patient asks to receive information via text, you must first verify the patient’s identity to make sure the request is from the patient. You then need to warn the patient of risks, explaining that SMS isn’t secure and PHI could be exposed. 

Once informed of the risks, the patient must consent to receive texts. Most organizations log this consent in the patient’s medical records or include it in a written consent form. Once documented, the patient’s request becomes part of the official record and guides how your team should communicate with them. From that point forward, patient texting can be allowed under HIPAA. 

HIPAA texting best practices for healthcare organizations

Following several simple guidelines will protect patient information. If every staff member follows the same process, it reduces the risk of an accidental HIPAA violation.

Here are a few best practices: 

• Train staff on compliant texting practices. Help teams learn what is and isn’t PHI, what can’t be texted, and when to use secure alternatives.
• Obtain consent and offer an easy opt-out. Patients should be able to stop messages by replying with simple language like “STOP” or “unsubscribe.”
• Stay compliant with A2P 10DLC rules. Even with proper security measures, SMS messages must comply with A2P 10DLC carrier regulations in the US. These rules help reduce spam and protect patients. 
• Keep authorization records current. Document any changes to patient communication requests.
• Use the same business phone number used for HIPAA-compliant calls. This keeps communication organized, and patients know it’s your team contacting them. 
• Avoid promotional or prescription-drug content. Carriers often block these messages, especially if they advertise or mention controlled substances.
• Use general language for prescription refill alerts. Refill alerts are allowed for patients who opt in to SMS communication. Avoid mentioning sensitive prescription or health information.
• Keep messages focused on patient care. Don’t use SMS for advertising or solicitation. 
• Use a business communications platform with security controls. This helps support your compliance program across calls, texts, and voicemail.

Implementing these practices is much easier with the right technology infrastructure.

Quo, formerly OpenPhone, offers a HIPAA-compliant VoIP solution for healthcare teams. Data encryption, user access controls, and automatic timeouts help safeguard sensitive patient information. Quo’s security features allow providers to communicate with patients in a HIPAA-compliant manner over call and text.

8 Security features that support HIPAA compliance

While SMS itself has limitations, the platform you use matters. A HIPAA-compliant small business phone system offers the technical safeguards you need.

Key security features you should look for in a business phone system include:

1. Encryption in transit and at rest: Protects patient data as it moves between systems and while stored.
2. Secure voicemail storage: Prevents unauthorized individuals from accessing PHI in voicemails.
3. HIPAA-secure call recordings and transcriptions: Ensures recorded calls meet privacy and storage requirements.
4. User access controls, such as roles, permissions, and multi-factor authentication: Limits PHI access to authorized staff.
5. Data redundancy and backups: Protects against data loss across geographically distributed data centers.
6. Automatic timeouts: Reduces the risk of unauthorized access when devices are left unattended.
7. Configurable data retention: Ensures patient data is stored according to your internal policies. 
8. Failover and backups: Keeps communication running and minimizes outages.

A single feature won’t make any platform HIPAA compliant. You need the right mix of technical safeguards, clear policies, and staff training. When all three are in place, you have a solid foundation for compliant communication.

What are the risks of texting protected health information under HIPAA?

Texting PHI without proper safeguards exposes healthcare organizations to significant consequences.

Financial penalties

Violations of the HIPAA Privacy Rule can be extremely costly, especially when unsecured texting is involved. The Office for Civil Rights, or OCR, assigns penalties based on four tiers of severity.

• Tier 1 applies when an organization was unaware of the violation and couldn’t reasonably have discovered it through due diligence.
• Tier 2 applies when the organization should have known about the risk.
• Tier 3 applies to cases of willful neglect where the organization corrected the issue within 30 days.
• Tier 4 is the most serious, involving willful neglect that was not corrected within the 30-day timeframe.

While fines start at $141 for a Tier 1 violation, they can be substantially higher. Fines can exceed $70,000 per violation, with annual caps in the millions. 

Operational disruption

A texting violation often leads to investigations, corrective action plans, or audits. The organization faces increased oversight from the Department of Health and Human Services (HHS) and OCR. 

These disruptions can take up your staff’s time and create an administrative burden. They can slow down routine care tasks and create scheduling and communication issues. For smaller organizations with limited resources, the impact can be especially challenging.

Reputational damage

Trust is central to every patient–provider relationship. When PHI is exposed through unsecured texting, patients may question whether their information is safe. Loss of trust can lead patients to switch to another provider. They may also leave negative reviews or damage the organization’s reputation. 

Mandatory breach reporting

Healthcare organizations may be required to notify affected patients of a breach of unsecured PHI. They also have to report data breaches to HHS. If it’s a smaller breach — fewer than 500 affected individuals — the report can be made annually. If the breach affects more than 500 individuals, it must be reported within 60 days of the breach. 

In cases involving more than 500 individuals, the organization has to notify the media. Public reporting increases scrutiny and can have a huge reputational impact. 

Quo: The best HIPAA-compliant phone system

Quo gives healthcare teams a HIPAA-compliant way to communicate with patients. Our cloud phone system for healthcare protects your call and voicemail data. Plus, you can send texts from Quo, following the requirements of HIPAA requirements to avoid texting PHI. 

With Quo, healthcare providers can manage sensitive patient communications with simple workflows. Features like the ability to schedule texts and reusable snippets help teams send routine messages. You can use these for appointment confirmations or reminders. If your team misses a phone call, you can send automated text replies to acknowledge the call and let the patient know when they can expect to hear from you.

Medical professionals need HIPAA-compliant communication channels that don’t slow them down. Quo offers a business phone system designed for the realities of busy healthcare providers. Try Quo and see how easy secure communication can be. You can sign up for a free seven-day trial.

FAQs