A Single Text Cost This Health System $3 Million
In 2018, the University of Rochester Medical Center agreed to a $3 million settlement with OCR after years of failing to encrypt ePHI on mobile devices. The investigation started with a lost flash drive and a stolen laptop — but during the probe, HHS found a systemic failure to manage how protected health information moved across portable technology. Text messages were part of that picture.
I share that story because it's exactly how most texting violations unfold. Nobody gets caught sending a single rogue text. They get caught because the organization never built a system to handle HIPAA compliant text messages in the first place — and then something else breaks.
If your staff texts about patients, this post is for you. I'll walk you through what the law actually requires, where organizations get burned, and the specific steps you need to take right now.
What Makes a Text Message HIPAA Compliant?
HIPAA doesn't ban texting. Let me say that clearly, because I hear the opposite in almost every training session I lead. The Security Rule and the Privacy Rule don't mention SMS by name. What they do is set standards for how covered entities and business associates handle PHI — regardless of the medium.
For a text message to qualify as HIPAA compliant, it needs to meet the same safeguards any electronic transmission of ePHI requires under the HIPAA Security Rule (45 CFR Part 164, Subpart C). That means:
- Encryption in transit and at rest. Standard SMS is not encrypted. Messages travel through carrier networks in plain text and sit unprotected on devices. This alone disqualifies vanilla texting for PHI.
- Access controls. Only authorized individuals should be able to view the message content. A phone left on a break room table with no passcode is an access control failure.
- Audit controls. You need a way to log who sent what, when, and to whom. Standard texting apps don't provide this.
- Integrity controls. The message content shouldn't be alterable in transit without detection.
- Authentication. Both sender and recipient must be verified as who they claim to be.
If your texting solution can't check every one of those boxes, it's not compliant. Period.
Why Standard SMS Fails Every HIPAA Test
Here's what happens in the real world. A nurse finishes a shift and texts the incoming nurse: "Room 412 - Johnson, diabetic, glucose was 280 at 6pm, needs recheck." That message just traveled unencrypted through a cellular carrier's servers, landed on a personal phone with no remote wipe capability, and will sit in a message thread indefinitely.
That single text violated at least four Security Rule provisions. And it happens thousands of times a day across U.S. healthcare.
Standard SMS fails because:
- Messages are not encrypted end-to-end.
- They're stored on the device indefinitely unless manually deleted.
- There's no audit trail the organization can access.
- There's no remote wipe if the phone is lost or stolen.
- Messages can be forwarded, screenshotted, or backed up to non-compliant cloud services without restriction.
I've seen organizations assume iMessage or WhatsApp encryption solves this. It doesn't. Encryption is necessary but not sufficient. Without audit logs, administrative controls, and a BAA from the platform provider, you're still exposed.
The $1.5 Million Question: Do You Need a BAA for Texting?
Yes. If you use a third-party platform to send HIPAA compliant text messages containing PHI, that vendor is a business associate. You need a signed Business Associate Agreement before a single message goes out.
Apple won't sign a BAA for iMessage. Google won't sign one for Android Messages. Your cellular carrier won't sign one for standard SMS. That's why purpose-built secure messaging platforms exist.
In my experience, this is where small practices stumble hardest. They assume the technology itself creates compliance. It doesn't. The contractual framework matters just as much as the technical framework.
What About Texting Patients Directly?
This is a question I get in every workshop. You can text patients, but there are additional layers. Under HHS guidance, if a patient requests communication by text and you've warned them about the risks of unsecured texting, you may honor that request. The key word is "request." You need to document it.
But here's the trap: that patient consent doesn't relieve you of your Security Rule obligations on your end. You still need to send the message from a compliant platform. You still need audit trails. The patient's consent covers the transmission risk to them — not your administrative failures.
Six Steps to Make Your Texting HIPAA Compliant
1. Deploy a Secure Messaging Platform
Choose a platform designed for healthcare that offers end-to-end encryption, message expiration, remote wipe, and audit logging. The vendor must sign a BAA. Don't shortcut this. If you need to evaluate your current mobile device policies first, our Mobile Devices & PHI training walks through the exact criteria to assess.
2. Write a Texting-Specific Policy
Your HIPAA policies manual likely addresses email and fax. Does it address texting? It should define who can text, what information can be included, which platforms are approved, and what happens when someone violates the policy. Vague policies produce vague compliance.
3. Train Every Person Who Touches a Phone
The Security Rule requires workforce training. That includes clinicians, front desk staff, billers, and anyone with access to PHI on a mobile device. If your team includes remote workers — and in 2026, whose doesn't? — your training must cover the unique risks of texting from home networks and personal devices. Our HIPAA Training for Remote Healthcare Workers is built specifically for this scenario.
4. Enable Device-Level Security
Every device that sends or receives PHI needs a passcode (minimum six characters), automatic lock after inactivity, encryption enabled at the OS level, and remote wipe capability. This applies to personal devices under BYOD policies, too.
5. Implement Message Retention and Disposal Rules
Decide how long messages containing PHI are retained. Configure auto-delete on your platform. Make sure staff know they cannot copy PHI from the secure platform into personal notes, screenshots, or standard text threads.
6. Audit Regularly
Run quarterly audits of your messaging logs. Check for policy violations, unauthorized access, and PHI sent through unapproved channels. The Security Rule's evaluation standard at 45 CFR § 164.308(a)(8) requires periodic technical and nontechnical assessments. Texting should be on the list.
What If Your Staff Works from Home?
Remote work amplifies every texting risk. Home Wi-Fi networks are less secure. Personal devices are shared with family members. The physical boundary between "work phone" and "personal phone" dissolves completely.
I've consulted with organizations that had solid in-office texting policies but zero guidance for remote staff. That gap becomes a liability the moment someone files a complaint or a device goes missing.
If your workforce includes anyone who accesses PHI outside your facility, your policies need to extend to their home environment. Our Working from Home & PHI training covers exactly how to build and enforce those safeguards.
Real Penalties for Texting Failures
OCR doesn't break out "texting-only" enforcement actions. But mobile device violations — which include texting — have driven some of the largest settlements in HIPAA history.
Beyond the URMC case, consider the OCR enforcement archive. You'll find a pattern: organizations that failed to encrypt ePHI on portable devices, failed to implement device management policies, and failed to train their workforce on mobile risks. Texting sits at the intersection of all three failure points.
Penalties under the HITECH Act can reach $2,067,813 per violation category per year (as adjusted for inflation). A pattern of unencrypted texting across your workforce isn't one violation — it's potentially thousands.
Quick Answer: Are Text Messages HIPAA Compliant?
Standard SMS and consumer messaging apps are not HIPAA compliant. To send HIPAA compliant text messages, you must use a secure messaging platform that provides end-to-end encryption, access controls, audit logging, and message expiration — and the vendor must sign a Business Associate Agreement. Staff must be trained on the policy, and all devices must meet Security Rule requirements for ePHI protection.
Your Next Move
If your organization texts about patients — and statistically, it does — you have two choices. Build a compliant system now, or wait for the breach that forces you to build one under OCR scrutiny.
I've watched organizations pay seven-figure settlements for problems that started with a single unencrypted message on a single unmanaged phone. The fix isn't complicated. It just requires intention.
Start by assessing your current training. Browse the full course catalog at HIPAACertify to find the modules that match your workforce's real-world risks. Then build the policy. Then enforce it. That's the sequence that keeps you off OCR's wall of shame.