In 2023, a dental practice in Texas paid a $50,000 settlement after a staff member texted a patient's diagnosis and insurance details to the wrong phone number using a personal smartphone. The OCR investigation revealed the practice had no policies governing HIPAA SMS communication — no encryption, no device management, no workforce training on texting protocols. This scenario plays out across healthcare organizations of every size, and it is entirely preventable.

Why HIPAA SMS Compliance Catches Organizations Off Guard

Standard SMS is not encrypted. When a workforce member sends a text message containing protected health information through a native texting app, that PHI travels across carrier networks in plain text, gets stored on devices without access controls, and can persist indefinitely in message logs. Under the HIPAA Security Rule (45 CFR § 164.312), covered entities and business associates must implement technical safeguards — including encryption and access controls — to protect electronic PHI in transit and at rest.

The challenge is that texting feels casual. Clinicians and front-desk staff reach for their phones because it's fast. But speed does not override regulatory requirements. OCR has consistently emphasized that convenience cannot come at the expense of PHI protection.

In my work with covered entities, I find that most organizations either ban texting outright (and staff ignore the ban) or allow it with no guardrails. Neither approach works. What works is building a compliant HIPAA SMS framework your workforce will actually follow.

What the Security Rule Actually Requires for Texting PHI

HIPAA does not explicitly prohibit texting. This is the nuance most compliance officers miss. The Security Rule is technology-neutral — it requires you to implement reasonable and appropriate safeguards regardless of the communication channel. For SMS, this means addressing several specific requirements.

Encryption (§ 164.312(a)(2)(iv) and § 164.312(e)(1)): PHI must be encrypted both in transit and at rest. Standard carrier SMS does not meet this requirement. You need a secure messaging platform that encrypts messages end-to-end, or you must document in your risk analysis why encryption is not reasonable and implement an equivalent alternative safeguard.

Access controls (§ 164.312(a)(1)): Any device used to send or receive PHI via text must have unique user identification, automatic logoff, and authentication mechanisms. Personal devices without mobile device management (MDM) create serious gaps here.

Audit controls (§ 164.312(b)): You must be able to track who sent what, to whom, and when. Native SMS apps on personal phones offer no audit trail your compliance team can access.

Integrity controls (§ 164.312(c)(1)): You need mechanisms to ensure PHI in messages hasn't been altered or destroyed improperly.

Healthcare organizations frequently ask whether patient consent makes standard texting permissible. The answer is more layered than a simple yes or no.

Under the HIPAA Privacy Rule, patients can request to receive their own PHI via unencrypted text. If a patient makes this request, your covered entity must accommodate it — even if the channel is unsecured — as long as you warn the patient of the risks and document their preference. This falls under the individual's right to request confidential communications (45 CFR § 164.522(b)).

However, patient consent does not eliminate your Security Rule obligations for internal communications. Staff-to-staff texts, messages to business associates, and clinical communications containing PHI still require full technical safeguards. A patient opting into text appointment reminders does not authorize your practice to text lab results between providers on personal phones.

Building a Compliant HIPAA SMS Policy Your Staff Will Follow

After helping dozens of organizations address this gap, I recommend a five-step approach:

  • Conduct a risk analysis specific to mobile messaging. Document every scenario where your workforce currently texts about patients — between clinicians, to patients, to business associates. Identify the risks for each scenario.
  • Deploy a HIPAA-compliant messaging platform. Solutions like TigerConnect, OhMD, Imprivata Cortext, and others provide encrypted messaging with audit trails, remote wipe capabilities, and access controls. These platforms satisfy Security Rule requirements while giving staff the texting experience they want.
  • Define minimum necessary standards for text communication. Even on a secure platform, workforce members should only include the minimum PHI necessary for the purpose of the message. Train staff to avoid sending full patient records via any messaging tool.
  • Update your Notice of Privacy Practices. If you communicate with patients via text, your NPP should disclose this practice. Patients have a right to know how their PHI may be transmitted.
  • Train every workforce member — not just clinicians. Front-desk staff, billing teams, and administrative personnel all handle PHI. Comprehensive HIPAA training and certification ensures every person in your organization understands the rules around texting PHI, not just the clinical staff.

The Enforcement Reality: OCR Is Watching Mobile Communications

OCR's enforcement priorities have increasingly focused on electronic communications. The 2022 guidance on tracking technologies and the ongoing wave of breach investigations involving email and messaging make one thing clear: mobile communication is not a blind spot for regulators.

A HIPAA violation involving unsecured SMS can trigger Breach Notification Rule obligations under 45 CFR §§ 164.400-414. If unencrypted PHI is sent to the wrong recipient, you must presume a breach has occurred unless you can demonstrate a low probability of compromise through a four-factor risk assessment. For small practices, a single reportable breach involving texting can result in penalties ranging from $100 to $50,000 per violation, with annual maximums reaching $1.5 million per violation category under the Omnibus Rule's tiered penalty structure.

Beyond financial penalties, OCR frequently imposes corrective action plans that require organizations to overhaul policies, retrain their entire workforce, and submit to monitoring for one to three years.

Stop Guessing — Standardize Your HIPAA SMS Practices Now

The gap between how healthcare workers actually communicate and how HIPAA requires them to communicate is where violations happen. Your organization cannot afford to leave HIPAA SMS compliance to individual judgment. You need written policies, compliant technology, and a workforce that understands exactly what is and isn't permitted.

If your team hasn't been trained on secure texting protocols, mobile device policies, and PHI handling in digital communications, that gap is a liability. Start with a structured workforce HIPAA compliance program that covers modern communication scenarios — including texting — so your staff makes the right call every time they pick up their phone.

The organizations that avoid HIPAA SMS violations aren't the ones that ban texting. They're the ones that build systems where secure texting is easier than the alternative.