HIPAA-Compliant Texting: Complete Guide for Healthcare in 2026

Texting patients is one of the highest-ROI communication channels in healthcare — but it’s also a HIPAA minefield. A standard iMessage or carrier SMS from a clinician’s phone is not HIPAA-compliant, and casual violations generate thousands of breach notifications every year. This guide covers what HIPAA-compliant texting actually requires, which tools qualify, and how to deploy secure patient messaging at scale.

TL;DR

• Standard SMS and iMessage are not HIPAA-compliant for sending protected health information (PHI).
• HIPAA-compliant texting requires a tool with a signed Business Associate Agreement (BAA), encryption in transit and at rest, access controls, and audit logs.
• You also need patient consent and documentation of minimum-necessary disclosure.
• Most practices use dedicated HIPAA-compliant SMS platforms (DialPhone, Spruce Health, OhMD, TigerConnect) for clinical messaging.
• Appointment reminders with no PHI (just date and time) can be sent over standard SMS if no patient-identifying details are included.

What HIPAA actually says about texting

HIPAA doesn’t mention SMS specifically. It requires covered entities (and business associates) to protect protected health information — any individually identifiable health information — under three safeguard categories:

• Technical safeguards — encryption, access controls, audit logs, integrity checks
• Administrative safeguards — risk assessments, workforce training, minimum-necessary access
• Physical safeguards — device security, workstation security, media disposal

Applied to texting: PHI can be transmitted by SMS only if the SMS platform meets all three safeguard categories AND the covered entity has a signed BAA with the platform provider.

Why standard SMS fails

Standard carrier SMS and iMessage fail HIPAA on multiple fronts:

• No encryption at rest — carriers store SMS in plaintext on backend systems.
• No access controls — anyone with physical access to a phone can read the messages.
• No audit logs — no record of who read which message when.
• No BAA — Verizon, AT&T, T-Mobile do not sign BAAs for standard SMS traffic.
• No minimum-necessary enforcement — can’t restrict who at a practice sees what.
• No retention control — messages live indefinitely, undelete possible.

Sending “Mary’s lab results came back positive, call her tomorrow” from a clinician’s personal iPhone to a colleague is a textbook HIPAA violation.

What HIPAA-compliant texting requires

1. A BAA with the SMS platform

A Business Associate Agreement is a legal contract between the covered entity (your practice) and the technology vendor (the SMS platform). It binds the vendor to the same HIPAA standards as the covered entity.

Check before signing up: does the vendor sign a BAA on your plan tier? Some vendors only sign BAAs on enterprise plans. DialPhone signs BAAs at no additional cost on Advanced ($34/user/mo) and higher.

2. Encryption

• In transit — TLS 1.2+ for messages from platform to patient device
• At rest — AES-256 for stored messages, transcripts, attachments

3. Access controls

• Unique user IDs for every staff member
• Role-based permissions — nurses see their patients, not all patients
• Automatic logoff after inactivity
• MFA / SSO enforcement

4. Audit logs

• Every message read, every message sent, every attachment downloaded
• Retained for 6+ years (HIPAA §164.316(b)(2)(i))
• Exportable to SIEM

5. Integrity controls

• Tamper-evident message storage
• Signed records for compliance audits

6. Patient consent

HIPAA and the Telephone Consumer Protection Act (TCPA) both apply:

• HIPAA permits PHI disclosure for treatment, payment, and operations without separate consent, but the patient must be the intended recipient.
• TCPA requires prior express consent to send SMS to a mobile number (unless the practice has an established treatment relationship, which exempts some messaging).

Best practice: document consent at intake. A checkbox on new-patient forms: “I consent to receive appointment reminders, billing notifications, and care communications by SMS at the phone number I provided.”

7. Minimum-necessary disclosure

HIPAA’s minimum-necessary rule says: disclose only what’s needed for the purpose. Applied to SMS:

• Appointment reminder: “Your appointment with Dr. Smith is tomorrow at 2pm.” (Permitted, minimum necessary.)
• Test result notification: “Your recent lab results are ready. Log in to the patient portal to view.” (Permitted — no PHI in the SMS itself.)
• Full result in SMS: “Your HbA1c is 7.2, indicating poorly-controlled diabetes.” (HIPAA allows with consent + BAA, but most practices avoid this level of detail in SMS.)

Which SMS tools qualify as HIPAA-compliant

A non-exhaustive list of platforms that sign BAAs and meet technical safeguards:

• DialPhone — business SMS with HIPAA BAA on Advanced+ at no surcharge. Includes TCPA/10DLC compliance, STOP-keyword handling, opt-in tracking, and audit logs.
• Spruce Health — dedicated healthcare communication platform.
• OhMD — clinical SMS + secure messaging.
• TigerConnect — secure clinician-to-clinician messaging.
• Klara — patient communication platform, common in dental and primary care.
• Updox — healthcare communication suite owned by EverCommerce.
• Twilio with BAA — enterprise platform, requires signed BAA (Twilio signs for qualifying customers).

Standard consumer SMS tools (iMessage, Google Messages, basic cell carrier SMS) do not qualify regardless of how careful the clinician is.

Two patterns: secure messaging vs standard SMS with no PHI

There are two common patterns for HIPAA-compliant patient communication.

Pattern A: Secure messaging (in-app)

Patients download an app or access a patient portal. Messages stay inside the secure platform, requiring authentication to read. Full PHI can be exchanged.

• Pros: true PHI support, full clinical context
• Cons: patient adoption friction (another app)
• Vendors: TigerConnect, Spruce, OhMD, MyChart messaging

Pattern B: Standard SMS with no PHI

Use regular SMS with a HIPAA-BAA-backed platform, but restrict message content to no-PHI minimum necessary:

• “Your appointment is tomorrow at 2pm. Reply YES to confirm.”
• “You have a new message in your patient portal. Log in to view.”
• “Your prescription is ready for pickup.”

The patient gets the notification via SMS; anything sensitive stays in the portal.

• Pros: no app adoption friction, works on every phone
• Cons: can’t carry full clinical content in the SMS
• Vendors: DialPhone, Twilio with BAA, Klara

Most practices use Pattern B for appointment reminders and general operations, and Pattern A for clinical dialog.

Common HIPAA texting mistakes

• Clinicians texting from personal phones — no encryption, no BAA, no audit logs. Violation.
• Including PHI in “reminders” — “Reminder: your mammogram follow-up is tomorrow.” The diagnosis context is PHI.
• Forwarding patient SMS to a group chat — shares PHI with unauthorized recipients.
• No STOP keyword — TCPA violation even before HIPAA.
• Outdated consent — consent signed 10 years ago may not cover new messaging use cases.
• Texting to numbers that changed hands — patient’s old number went to someone else, still on file. Reminder reveals PHI. This has generated real breach notifications.

TCPA overlap

HIPAA governs PHI protection. TCPA (Telephone Consumer Protection Act) governs SMS consent. Both apply to patient texting.

TCPA requires:

• Consent to text the mobile number
• Clear opt-out method (STOP)
• Honor opt-outs within 10 business days

Most HIPAA-compliant SMS platforms handle TCPA technical enforcement automatically. The practice is still responsible for genuine consent documentation.

Starting a HIPAA-compliant SMS program

1. Select a platform that signs a BAA — DialPhone, Spruce, TigerConnect, OhMD, Klara, etc.
2. Sign the BAA — usually e-signed in under 5 minutes in the vendor’s admin portal.
3. Update your Notice of Privacy Practices — disclose SMS as a communication method.
4. Update intake forms — add a clear consent checkbox for SMS.
5. Train staff — only BAA-covered tools for PHI; never personal phones.
6. Set retention policy — default 2 years is common; document the choice.
7. Pilot with a single clinic/provider — validate consent capture and audit logs.
8. Roll out org-wide — with explicit break-glass access controls.

Related resources

• DialPhone HIPAA compliance
• DialPhone business SMS
• 10DLC registration guide
• TCPA glossary
• DialPhone for healthcare

HIPAA-compliant texting isn’t hard once the platform is in place. The failure modes are process — staff texting from personal phones, untrained front desks forwarding messages, consent not captured. Fix the process, and the platform handles the rest.