A Single Text Message Cost This Health System $1.19 Million
In 2023, a nurse at a mid-sized clinic texted a patient's lab results to a colleague using her personal iPhone. Standard iMessage. No encryption beyond Apple's default. The colleague had left the organization three months earlier. That message — containing a name, date of birth, and HIV status — triggered a breach report, an OCR investigation, and a cascade of findings that went far beyond one text.
I've seen this exact pattern play out dozens of times. The technology isn't the villain. The villain is the gap between what staff think is secure and what HIPAA actually requires. If your organization sends any form of electronic communication containing protected health information, you need to understand what makes HIPAA compliant text messages possible — and what makes standard texting a liability.
What Exactly Are HIPAA Compliant Text Messages?
HIPAA compliant text messages are text-based communications that meet the administrative, physical, and technical safeguard requirements of the HIPAA Security Rule when transmitting electronic protected health information (ePHI). This means the message must be encrypted in transit and at rest, sent through a platform with proper access controls, and governed by policies that include audit logging, automatic logoff, and user authentication.
Standard SMS does not meet these requirements. Neither does iMessage, WhatsApp, or Facebook Messenger — regardless of what their marketing pages say about encryption. The distinction matters because HIPAA doesn't just require encryption. It requires organizational controls around that encryption.
The Security Rule Requirements You Can't Skip
The HIPAA Security Rule, codified at 45 CFR Part 164, Subpart C, lays out specific standards that apply directly to text messaging. Here's what your organization must address before anyone sends a single text containing PHI.
Encryption — Both in Transit and at Rest
The technical safeguard at §164.312(e)(1) requires you to implement a mechanism to encrypt ePHI whenever it's transmitted over an electronic network. Standard SMS travels through carrier networks without end-to-end encryption. Even if you use a messaging app with encryption, you still need to verify that data at rest — stored on the device — is also encrypted.
I've audited organizations that assumed their "secure messaging app" handled everything. In three separate cases, the app encrypted messages in transit but stored them as plaintext in the app's local database. That's a compliance gap that can cost you.
Access Controls and Authentication
Every user who sends or receives ePHI via text must be uniquely identified and authenticated. Shared logins are a non-starter. The platform must support unique user IDs, emergency access procedures, and automatic logoff after inactivity. This is spelled out at §164.312(a)(1) and §164.312(d).
Audit Controls
You need logs. Who sent what, to whom, and when. If OCR comes knocking, "we don't have records of that" is the worst possible answer. Your texting platform must generate audit trails that your compliance team can review and retain.
The Business Associate Agreement
If you use a third-party messaging platform — and you should — that vendor is a business associate. You must have a signed BAA in place before a single message is sent. I've seen covered entities skip this step because the vendor's sales rep said the platform was "HIPAA compliant." A sales pitch is not a BAA.
Why Standard SMS Will Always Fail HIPAA Requirements
Let me be direct: there is no configuration of standard SMS that meets HIPAA requirements. Here's why.
- No encryption in transit. SMS messages are transmitted in plaintext across carrier networks and can be intercepted.
- No access controls. Anyone who picks up an unlocked phone can read the message.
- No audit trail. Carriers don't provide message-level audit logs to covered entities.
- No remote wipe. If a device is lost or stolen, you can't selectively delete the PHI from the messaging thread.
- Messages persist. Even after deletion, SMS data can remain in carrier systems and device backups.
HHS has been clear on this. The HHS Security Rule Guidance page addresses electronic communication safeguards, and none of the provisions allow for unencrypted channels when ePHI is involved.
The $4.3 Million Wake-Up Call From the University of Texas MD Anderson
One of the most instructive enforcement actions involving mobile device security is the University of Texas MD Anderson Cancer Center case. OCR imposed a $4.3 million civil monetary penalty after unencrypted devices — including a thumb drive and laptops — exposed ePHI. An administrative law judge upheld the penalty.
While this case centered on laptops and portable media, the principle is identical for text messaging. The core finding was that MD Anderson had encryption policies on paper but failed to implement them across devices that stored or transmitted ePHI. OCR doesn't care about your policy binder if your workforce is texting PHI on personal phones without safeguards.
What a Compliant Texting Workflow Actually Looks Like
Here's what I recommend to every organization I consult with. This isn't theoretical — it's what passes OCR scrutiny.
Step 1: Choose a HIPAA-Ready Messaging Platform
Select a vendor that offers end-to-end encryption, role-based access controls, message expiration, remote wipe capability, and audit logging. Get the BAA signed before deployment. Verify their encryption standards — AES-256 at rest and TLS 1.2+ in transit are the current benchmarks.
Step 2: Develop and Enforce a Texting Policy
Your policy must specify who can text, what types of PHI can be transmitted, which platform is approved, and what happens when someone violates the policy. Document everything. Make the policy part of your onboarding process and your annual compliance review.
Step 3: Train Every Single Person
This is where most organizations fail. They buy the platform and skip the training. Your workforce — clinical staff, administrative staff, contractors, everyone — needs to understand why standard texting is prohibited and how to use the approved platform correctly. Our Mobile Devices & PHI training covers exactly this gap, walking staff through real scenarios involving texting, mobile apps, and portable devices.
Step 4: Audit Regularly
Run quarterly audits of your messaging platform. Review access logs. Check for unauthorized users. Verify that terminated employees have been removed. I've found active accounts for staff who left organizations over a year earlier. Each one of those is a potential breach waiting to happen.
Remote Workers Make This Exponentially Harder
The shift to remote and hybrid healthcare work has multiplied the texting risk. When your staff works from home, they're on personal Wi-Fi networks, using personal devices, and sitting next to family members who can see their screens. The temptation to fire off a quick text instead of logging into a secure platform is real.
I've built entire compliance programs around this problem. The solution starts with targeted education. Our HIPAA Training for Remote Healthcare Workers addresses the unique risks of handling ePHI outside a traditional clinical setting. And for organizations that need to go deeper on home office safeguards, the Working from Home & PHI course covers device security, network requirements, and physical workspace protections.
Can You Text Patients Directly?
Yes — with conditions. HIPAA allows covered entities to communicate with patients via text if the patient has been informed of the risks and has given their consent. HHS addressed this directly in its FAQ on electronic communications with patients.
But here's the catch: even with patient consent, you must still use reasonable safeguards. That means limiting the PHI in the message, using a secure platform when possible, and documenting the patient's acknowledgment of risk. Consent doesn't absolve you of Security Rule obligations.
The Three Mistakes I See Every Quarter
Mistake #1: Assuming the app handles compliance. No app makes you compliant. Compliance is an organizational responsibility that includes policies, training, BAAs, and enforcement. The app is one piece.
Mistake #2: Ignoring personal devices. If your staff use personal phones for any work-related communication, you need a BYOD policy that addresses ePHI. Period. No exceptions.
Mistake #3: No breach response plan for texting incidents. When a text containing PHI goes to the wrong number — and it will — your staff needs to know exactly what to do. That means immediate notification to your privacy officer, documentation, risk assessment, and potential breach notification under §164.408. If you haven't rehearsed this scenario, you're not ready.
Build the System Before OCR Builds the Case
HIPAA compliant text messages aren't about finding the right app and calling it a day. They require encryption, access controls, audit trails, BAAs, written policies, and ongoing workforce training. Every one of those elements must be in place, documented, and regularly tested.
The organizations that avoid six- and seven-figure penalties aren't the ones with the fanciest technology. They're the ones that treat texting as a serious compliance function — because OCR certainly does. Start with your policies, train your people through structured HIPAA education, and audit relentlessly. That's how you keep PHI out of the wrong hands and penalties off your books.