In 2023, a regional health system paid $850,000 to settle an OCR investigation that traced a data breach back to a single unsecured text message containing a patient's diagnosis and insurance ID. The provider's staff had been texting PHI on personal devices for years — and leadership knew about it. When it comes to HIPAA text messages, the gap between what your workforce actually does and what the regulations require can cost your organization far more than an IT upgrade.

What the HIPAA Security Rule Says About Text Messages

HIPAA does not explicitly ban texting. There is no line in 45 CFR Part 164 that says "thou shalt not text." What the Security Rule does require is that any electronic protected health information (ePHI) transmitted by your covered entity or business associate must be protected by administrative, physical, and technical safeguards.

Standard SMS — the kind built into every smartphone — fails virtually every one of those requirements. Messages are stored in plaintext on the device, backed up to cloud services outside your control, and transmitted without encryption. If a phone is lost, stolen, or compromised, every text containing PHI becomes a potential reportable breach under the Breach Notification Rule.

OCR has made clear in multiple guidance documents and enforcement actions that the transmission security standard (45 CFR § 164.312(e)(1)) applies to any electronic channel your workforce uses to communicate PHI — including text messages.

Why Standard SMS Fails HIPAA Text Messages Compliance

Healthcare organizations consistently struggle with this because standard texting feels instant, simple, and free. But consider what SMS lacks from a HIPAA perspective:

  • No encryption in transit or at rest. Messages can be intercepted or read from a locked-screen notification.
  • No access controls. Anyone who picks up an unlocked phone can read the thread.
  • No audit controls. There is no centralized log of who sent what, when, or to whom.
  • No remote wipe capability. If a device is lost, you cannot delete the messages.
  • No authentication. Standard SMS does not verify the recipient's identity before displaying the message.

Each of these gaps maps directly to a required or addressable implementation specification under the Security Rule. Ignoring them does not make them optional — it makes them a documented risk you chose not to mitigate.

Compliant Alternatives for Sending HIPAA Text Messages

If your organization needs to text about patients — and most clinical teams do — you must implement a solution that meets Security Rule requirements. Several approaches work:

Secure Messaging Platforms

Purpose-built healthcare messaging apps like TigerConnect, Imprivata Cortext, and OhMD encrypt messages end-to-end, require user authentication, maintain audit logs, and allow remote message expiration. These platforms are designed specifically for HIPAA text messages compliance and integrate with most EHR systems.

Enterprise Mobile Device Management (MDM)

If your workforce uses organization-issued devices, an MDM solution can enforce encryption, require passcodes, enable remote wipe, and restrict which apps can access PHI. This does not fix SMS encryption, but it adds layers of protection that reduce risk.

The Privacy Rule permits texting patients if you have obtained their written authorization and informed them of the risks. Your Notice of Privacy Practices should address electronic communications. Even with consent, apply the minimum necessary standard — include only the PHI essential to the message's purpose.

The Risk Analysis Step Most Organizations Skip

Before selecting any texting solution, the Security Rule requires your organization to conduct a thorough risk analysis that includes mobile communications. In my work with covered entities, I've seen dozens of risk assessments that evaluate server rooms and EHR access but completely ignore the text messages flying between clinicians every hour.

Your risk analysis must document how PHI flows through text channels, identify threats and vulnerabilities specific to mobile messaging, and assign risk levels that drive your mitigation decisions. OCR enforcement reviews routinely flag incomplete risk analyses as a primary violation — often carrying penalties that dwarf the cost of the underlying breach.

Workforce Training: The Policy That Actually Prevents Violations

Having a secure messaging platform means nothing if your staff continues texting PHI on iMessage. The workforce training requirement under 45 CFR § 164.530(b) mandates that every member of your workforce — not just clinicians — receives training on your organization's policies and procedures for handling PHI.

That training must specifically address HIPAA text messages policies: what platforms are approved, what information can be transmitted, what to do if a message is sent to the wrong recipient, and how to report a potential breach. Generic annual training that never mentions texting is not sufficient.

Investing in comprehensive HIPAA training and certification ensures your workforce understands not just the rules but the practical application — including how texting PHI on an unapproved platform can trigger an OCR investigation.

Business Associate Obligations for Texting Platforms

Any third-party messaging vendor that transmits, stores, or has access to PHI on your behalf qualifies as a business associate. Before your organization sends a single HIPAA text message through their platform, you must have a signed Business Associate Agreement (BAA) in place.

This applies to the messaging app vendor, the cloud provider hosting their infrastructure, and any subcontractor involved in message delivery. If your vendor refuses to sign a BAA, they are telling you they cannot or will not meet HIPAA requirements — and you should not use their product for PHI.

What an OCR Investigation Into Texting Looks Like

OCR investigations triggered by texting-related breaches follow a predictable pattern. Investigators request your risk analysis, your mobile device policies, your texting and messaging policies, your BAAs with messaging vendors, and evidence of workforce training. If any of those documents are missing, incomplete, or contradicted by actual practice, you face potential penalties under the HIPAA violation penalty tiers — ranging from $137 per violation for unknowing violations up to $2,067,813 per violation category per year for willful neglect.

The investigation does not end with the breach. OCR will examine your entire compliance program, and deficiencies in one area often reveal systemic failures across your organization.

Build a Texting Policy That Survives an Audit

Your HIPAA text messages policy should be a standalone document — not buried in a 90-page IT manual. At minimum, it must address:

  • Approved messaging platforms and prohibited channels
  • Types of PHI that may and may not be transmitted via text
  • Device security requirements (encryption, passcodes, auto-lock)
  • Procedures for lost or stolen devices
  • Incident reporting protocols for misdirected messages
  • Patient consent and notification requirements
  • Sanctions for policy violations

Document that your workforce has read, understood, and acknowledged this policy. Make it part of onboarding and annual refresher training through a structured program like HIPAA Certify's workforce compliance platform.

Texting is not going away in healthcare. The question is whether your organization treats it as a regulated communication channel — or waits for OCR to make that decision for you.